LDAP Groups to Freeradius and then Ruckus Wireless?
Enrique Sainz Baixauli
enriquesainz.beca at intef.educacion.es
Tue Jun 3 13:12:19 CEST 2014
> Hi Enrique,
>
> Can you show us what the inner-tunnel post-auth section looks like? By
trimming down the debug output, we've lost that.
>
> If your inner-tunnel post-auth just uses "update reply {", then you may
with to update it with "update outer.reply {", which should feed the
attribute back.
>
> Stefan
Hi Stefan,
I only added to postauth in inner-tunnel server configuration what I had in
authorize in default server:
foreach &control:LDAP-Group {
update reply {
&Ruckus-User-Groups += "%{Foreach-Variable-0}"
}
}
Now I changed it into update outer.reply and, instead of the attribute being
added to the tunneled reply to the default server, it was added to the
Access-Challenge that the default server sent to the client. Then, the
client sends one last Access-Request and the server sends Access-Accept
without the attribute. I am guessing that this last reply was done only by
the default server, so the inner-tunnel didn't get to add anything. But if
that's so, how can I add the attribute in the default server without
querying LDAP on every packet that the server sends to set up the TLS
conversation?
Thanks again!
More information about the Freeradius-Users
mailing list