Retrieving eDirectory VLAN attributes

[Dan Lietz]

Alan,

Thanks for the clear response, adding the attribute map to ldap.attrmap made it come to life. 

Thanks much for your help.

Dan

-----Original Message-----
From: freeradius-users-bounces+dlietz=inghamisd.org at lists.freeradius.org [mailto:freeradius-users-bounces+dlietz=inghamisd.org at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, May 24, 2013 10:18 AM
To: FreeRadius users mailing list
Subject: Re: Retrieving eDirectory VLAN attributes

Dan Lietz wrote:
> I’m pretty much a noob when it comes to freeradius as I still don’t 
> completely understand what files are used for authorization and 
> authentication and where to put different certain pieces of configuration.

  Rule 1: don't touch anything.  The configuration is complicated, but it mostly works.

  The "files used for authorization" are the virtual servers.  See raddb/sites-enabled.  Those files reference other configuration.  But it's all reasonably well abstracted.

  i.e. you don't need to know anything about the "mschap" module configuration to use it.  You don't even need to know *where* its configuration lives.  But if you run the server in debugging mode, it will tell you.

  The "where to put configuration" issue largely depends on what you want to do.  Edit a virtual server?  See raddb/sites-enabled.  A module?
 raddb/modules.

> I’m trying to set up dynamic vlans for a wireless network with a 
> Ruckus Zone Director backend and a freeradius backend authenticating 
> via LDAP to eDirectory running on the same box. So far I’ve managed to 
> configure 802.11x authentication using PEAP and that is working well.

  That's good.

> Now I want to be able to retrieve the radius attribute in eDirectory 
> for the vlan tag so the Ruckus Zone Directory will automatically place 
> the user on the correct vlan once they are authenticated.

  OK.

> I did some initial testing without using LDAP by adding the following 
> lines to my users file:
> 
>  
> 
> DEFAULT
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 802,
> Tunnel-Private-Group-ID = 85,
> Fall-Through=Yes

  Yes, that works.  It's a good first step.

> By changing the value of “Tunnel-Private-Group-ID” (set to 85 in the 
> above example) the Zone Director will move users to the vlan ID I 
> specify here, but it is obviously static and does not change based on 
> the user. The next step is to configure FreeRadius to pull the info 
> from eDir via LDAP and that’s the part I’m not getting.

  The "ldap.attrmap" file is in the "raddb" directory.  It contains mappings from LDAP to RADIUS.  It's also documented in the comments at the top of the file.

> Part of my problem is that I don’t know which attributes mappings are 
> built in and which aren’t.

  See ldap.attrmap.

> According to this document: Integrating Novell eDirectory with 
> FreeRadius 
> <https://www.netiq.com/documentation/edir_radius/radiusadmin/?page=/do
> cumentation/edir_radius/radiusadmin/data/bv8m2ll.html>
> the listed radius attributes are available for use, but does that mean 
> I don’t need to add them to ldap.attr or the dictionary file at all? 
> Or that I don’t need to add an LDAP attribute map to the LDAP Group 
> object in iManager?

  The LDAP to RADIUS map is defined in ldap.attrmap.  And ONLY in ldap.attrmap.  Go look there.  If a mapping isn't there, it isn't mapped.  If it is there, the LDAP attribute (if any) is mapped to the RADIUS equivalent.

> The other thing I don’t understand is where (i.e. what file) to put 
> the ldap call for said attributes and what the syntax would look like.

  See raddb/sites-available/inner-tunnel, and "default".  Look for "ldap".  Read the comments there.


> I’ve configured my eap.conf to include ‘copy_request_to_tunnel = yes’
> and ‘use_tunneled_reply = yes’

  That's correct for your setup.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html