Active Directory + LDAP + groups for dynamic VLAN assignment
Michael Schwartzkopff
misch at schwartzkopff.org
Thu Jan 10 09:34:04 CET 2013
Am Mittwoch, 9. Januar 2013, 16:51:22 schrieb Matthew Ceroni:
> Hi:
>
> I am using FreeRadius version 2.1.12 on CentOS6.
>
> I am authenticating against Active Directory (that works). And authorizing
> against LDAP (that works as well).
>
> I am trying to return attributes, used for VLAN assignment, based on the
> usersDN.
>
> In my /etc/raddb/sites-enabled/default (and inner-tunnel) I have the
> following
>
>
> #
> # The ldap module will set Auth-Type to LDAP if it has not
> # already been set
> ldap
> if (control:Ldap-UserDn =~ /OU=QA/) {
> update reply {
> Tunnel-Type:1 := 13
> Tunnel-Medium-Type:1 := 6
> Tunnel-Private-Group-Id:1 := 7
> }
> }
> elsif (control:Ldap-UserDn =~ /OU=IT/) {
> update reply {
> Tunnel-Type:1 := 13
> Tunnel-Medium-Type:1 := 6
> Tunnel-Private-Group-Id:1 := 2
> }
> }
> else {
> update reply {
> Tunnel-Type:1 := 13
> Tunnel-Medium-Type:1 := 6
> Tunnel-Private-Group-Id:1 := 21
> }
> }
>
> In the authorize section. That works, when authorize is done it queries
> LDAP successfully.
>
> Looking through the radius debug I see the IF statements processing:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0,
> length=122
> User-Name = "mceroni"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message = 0x0200000c016d6365726f6e69
> Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "mceroni", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] No '\' in User-Name = "mceroni", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] returns noop
> [eap] EAP packet type response id 0 length 12
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for mceroni
> [ldap] expand: %{Stripped-User-Name} ->
> [ldap] ... expanding second conditional
> [ldap] expand: %{User-Name} -> mceroni
> [ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (samAccountName=mceroni)
> [ldap] expand: ou=Clairmail OU,dc=clairmail,dc=local -> ou=Clairmail
> OU,dc=clairmail,dc=local
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to cmad01.clairmail.local:389, authentication 0
> [ldap] bind as svnadmin at clairmail.local/iBis93sLit+ to
> cmad01.clairmail.local:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with
> filter (samAccountName=mceroni)
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that the
> user is configured correctly?
> [ldap] user mceroni authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++? if (control:Ldap-UserDn =~ /OU=QA/)
> ? Evaluating (control:Ldap-UserDn =~ /OU=QA/) -> FALSE
> ++? if (control:Ldap-UserDn =~ /OU=QA/) -> FALSE
> ++? elsif (control:Ldap-UserDn =~ /OU=IT/)
> ? Evaluating (control:Ldap-UserDn =~ /OU=IT/) -> TRUE
> ++? elsif (control:Ldap-UserDn =~ /OU=IT/) -> TRUE
> ++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...}
> +++[reply] returns ok
>
> And it appears to set the attributes:
>
> +[pap] returns noop
> ++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/)
> expand: %{request:User-Name} -> mceroni
> ? Evaluating ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) ->
> FALSE
> ++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) -> FALSE
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 0 to 127.0.0.1 port 48400
> Tunnel-Type:1 = VLAN
> Tunnel-Medium-Type:1 = IEEE-802
> Tunnel-Private-Group-Id:1 = "2"
> EAP-Message = 0x010100061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x2a1689d42a17904c9b87561fac99b7b3
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=1,
> length=250
> User-Name = "mceroni"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message =
> 0x0201007a198000000070160301006b01000067030150ee101279602ec4eddc8d6cfc926da8
> 5eee0e034a2c20ea6abd4fd75e1ea55500003a00390038008800870035008400160013000a00
> 330032009a009900450044002f00960041000500040015001200090014001100080006000300
> ff0100000400230000 State = 0x2a1689d42a17904c9b87561fac99b7b3
> Message-Authenticator = 0x0a3e365c6cd7a8ae795def8cb962360e
>
>
> But in the final response those attributes are not there.
>
> Sending Access-Accept of id 9 to 127.0.0.1 port 48400
> MS-MPPE-Recv-Key =
> 0xf318d3dd21910be1544fd848af03baebe4f23ae85b786100b02b967d4cc1761e
> MS-MPPE-Send-Key =
> 0xa01a409bf3f54388c69613c576e657605022285909917ddbee9e52e776c3b0e1
> EAP-Message = 0x03090004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "mceroni"
>
>
> Any help would be appreciated.
>
> Thanks
Hi,
please set the
use_tunneled_reply=yes
in the outer tunnel. Then FR copies the attributes from the inner tunnel to
the outer reply.
Greetings,
--
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München
Tel: (0163) 172 50 98
Fax: (089) 620 304 13
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130110/18d279a7/attachment-0001.html>
More information about the Freeradius-Users
mailing list