Active Directory + LDAP + groups for dynamic VLAN assignment

Michael Schwartzkopff misch at schwartzkopff.org
Thu Jan 10 09:34:04 CET 2013 

Am Mittwoch, 9. Januar 2013, 16:51:22 schrieb Matthew Ceroni:
> Hi:
> 
> I am using FreeRadius version 2.1.12 on CentOS6.
> 
> I am authenticating against Active Directory (that works). And authorizing
> against LDAP (that works as well).
> 
> I am trying to return attributes, used for VLAN assignment, based on the
> usersDN.
> 
> In my /etc/raddb/sites-enabled/default (and inner-tunnel) I have the
> following
> 
> 
>         #
>         #  The ldap module will set Auth-Type to LDAP if it has not
>         #  already been set
>         ldap
>         if (control:Ldap-UserDn =~ /OU=QA/) {
>                update reply {
>                        Tunnel-Type:1 := 13
>                        Tunnel-Medium-Type:1 := 6
>                        Tunnel-Private-Group-Id:1 := 7
>                }
>         }
>         elsif (control:Ldap-UserDn =~ /OU=IT/) {
>                 update reply {
>                         Tunnel-Type:1 := 13
>                         Tunnel-Medium-Type:1 := 6
>                         Tunnel-Private-Group-Id:1 := 2
>                 }
>         }
>         else {
>                update reply {
>                        Tunnel-Type:1 := 13
>                        Tunnel-Medium-Type:1 := 6
>                        Tunnel-Private-Group-Id:1 := 21
>                }
>         }
> 
> In the authorize section. That works, when authorize is done it queries
> LDAP successfully.
> 
> Looking through the radius debug I see the IF statements processing:
> 
> rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0,
> length=122
>         User-Name = "mceroni"
>         NAS-IP-Address = 127.0.0.1
>         Calling-Station-Id = "02-00-00-00-00-01"
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-802.11
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>         EAP-Message = 0x0200000c016d6365726f6e69
>         Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "mceroni", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] No '\' in User-Name = "mceroni", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] returns noop
> [eap] EAP packet type response id 0 length 12
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for mceroni
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> mceroni
> [ldap]  expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (samAccountName=mceroni)
> [ldap]  expand: ou=Clairmail OU,dc=clairmail,dc=local -> ou=Clairmail
> OU,dc=clairmail,dc=local
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection
>   [ldap] (re)connect to cmad01.clairmail.local:389, authentication 0
>   [ldap] bind as svnadmin at clairmail.local/iBis93sLit+ to
> cmad01.clairmail.local:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
>   [ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with
> filter (samAccountName=mceroni)
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that the
> user is configured correctly?
> [ldap] user mceroni authorized to use remote access
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++? if (control:Ldap-UserDn =~ /OU=QA/)
> ? Evaluating (control:Ldap-UserDn =~ /OU=QA/) -> FALSE
> ++? if (control:Ldap-UserDn =~ /OU=QA/) -> FALSE
> ++? elsif (control:Ldap-UserDn =~ /OU=IT/)
> ? Evaluating (control:Ldap-UserDn =~ /OU=IT/) -> TRUE
> ++? elsif (control:Ldap-UserDn =~ /OU=IT/) -> TRUE
> ++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...}
> +++[reply] returns ok
> 
> And it appears to set the attributes:
> 
> +[pap] returns noop
> ++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/)
>         expand: %{request:User-Name} -> mceroni
> ? Evaluating ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) ->
> FALSE
> ++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) -> FALSE
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 0 to 127.0.0.1 port 48400
>         Tunnel-Type:1 = VLAN
>         Tunnel-Medium-Type:1 = IEEE-802
>         Tunnel-Private-Group-Id:1 = "2"
>         EAP-Message = 0x010100061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x2a1689d42a17904c9b87561fac99b7b3
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=1,
> length=250
>         User-Name = "mceroni"
>         NAS-IP-Address = 127.0.0.1
>         Calling-Station-Id = "02-00-00-00-00-01"
>         Framed-MTU = 1400
>         NAS-Port-Type = Wireless-802.11
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>         EAP-Message =
> 0x0201007a198000000070160301006b01000067030150ee101279602ec4eddc8d6cfc926da8
> 5eee0e034a2c20ea6abd4fd75e1ea55500003a00390038008800870035008400160013000a00
> 330032009a009900450044002f00960041000500040015001200090014001100080006000300
> ff0100000400230000 State = 0x2a1689d42a17904c9b87561fac99b7b3
>         Message-Authenticator = 0x0a3e365c6cd7a8ae795def8cb962360e
> 
> 
> But in the final response those attributes are not there.
> 
> Sending Access-Accept of id 9 to 127.0.0.1 port 48400
>         MS-MPPE-Recv-Key =
> 0xf318d3dd21910be1544fd848af03baebe4f23ae85b786100b02b967d4cc1761e
>         MS-MPPE-Send-Key =
> 0xa01a409bf3f54388c69613c576e657605022285909917ddbee9e52e776c3b0e1
>         EAP-Message = 0x03090004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "mceroni"
> 
> 
> Any help would be appreciated.
> 
> Thanks

Hi,

please set the

use_tunneled_reply=yes

in the outer tunnel. Then FR copies the attributes from the inner tunnel to 
the outer reply.

Greetings,

-- 
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München

Tel: (0163) 172 50 98
Fax: (089) 620 304 13
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130110/18d279a7/attachment-0001.html>

More information about the Freeradius-Users mailing list