LDAP authorization without group attribute

Walter Reynolds waltr at umich.edu
Tue May 13 13:45:54 CEST 2014 

I am running Freeradius 2.2.4 and am not quite sure where to go with this.
 I have read the documentation, but my need does not quite match.

We have the standard EAP-PEAP setup where users are authenticated against
AD via ntlm-auth.  What I need to do is add an authorization check to
determine if a users should get a specific VLAN attribute sent back or be
placed in a default VLAN (This is so we can only allow access to library
resources to those that should be allowed).

Now, if I had a LDAP group that contained these I could use a simple group
setup listed in the http://wiki.freeradius.org/modules/Rlm_ldap page.  My
problem is, the attribute that contains the data about the affiliation is a
multi valued attribute

UMICHINSTROLES
StudentAA, StudentDBRN, and StudentFLNT (continuing and incoming students
regardless of enrollment; includes detached study);
EnrolledStudentAA, EnrolledStudentDBRN, EnrolledStudentFLNT (enrolled in at
least one credit hour for ""current"" term; next term information is used
during gap between terms)
AlumniAA, AlumniDBRN, AlumniFLNT (any person who has completed at least one
semester in a degree-granting program)
FacultyAA, FacultyDBRN, FacultyFLNT (defined as academic, instructional,
and research appointments; includes emeritus faculty)
RegularStaffAA, RegularStaffDBRN, RegularStaffFLNT (current appointment
with a status of active, suspended, short-work break, leave, or paid leave);
TemporaryStaffAA, TemporaryStaffDBRN, TemporaryStaffFLNT (current
appointment with a status of active, suspended, short-work break, leave, or
paid leave)
Retiree (retired from any U-Mcampus, regardless of other appoints that may
still be active)
SponsoredAffiliateAA, SponsoredAffiliateDBRN, SponsoredAffiliateFLNT (has
at least one departmental sponsorship).


Is there a way to make the group match a specific set of these values?  (I
can do that with the Cisco VPN DAP policies)  Something along these lines
(again based on group section from wiki)l

post-auth {
        if (LDAP-Group == "umichinstroles=*FacultyAA") {
                Assign VLAN Special
        }
        elsif (LDAP-Group == "umichinstroles=*StudentAA") {
                Assign VLAN Special

        }
        else {
                Assign VLAN Default

        }
}


Another path of thought was to specify a filter in the LDAP module config
to something like this.

        filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(|(umichinstroles=*AffiliateAA)(umichinstroles=*FacultyAA)(umichinstroles=*StudentAA)(umichinstroles=*StaffAA)))"

So that works as far as only responding if a user matches one of those, but
then how would I apply a VLAN for them and leave everyone else in a default
VLAN?

There must be a way to do this but my lack of LDAP knowledge is not helping
me see how to do this and the guides I find do not seem help.

Any help would be appreciated.
------------------------
Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140513/f11d022a/attachment.html>

More information about the Freeradius-Users mailing list