Freeradius-Users Digest, Vol 113, Issue 26

Lord Felix felix107 at msn.com
Tue Sep 9 21:29:08 CEST 2014


Okay.. I figured it out.
 
Ldap-Group == "Student" work just fine that did the trick in the users file. 
 
I thought it was an issue with users file no being read, but a simple test case was just perform a User-Name == "username" test and it works immediately.
 
Thanks
 
From: felix107 at msn.com
To: freeradius-users at lists.freeradius.org
Subject: RE: Freeradius-Users Digest, Vol 113, Issue 26
Date: Tue, 9 Sep 2014 11:52:22 -0400




Thank for the quick reply.
 
So, I was successfully able to setup AD with ldap with the following config, my only issue is I still cannot assign the different vlan based on the group they are on. 
I need the following to be setup:
1. WIFI Student --> VLAN 93
2. Ethernet Student --> VLAN 3
3.  WIFI Staff --> VLAN 94
4. Ethernet  Staff --> VLAN 4
 
I was able to do it in the inner file with the following, but this is OU container not with the group and also can you filter WIFI vs LAN connect in here? :
if (control:Ldap-UserDn =~ /OU=Staff/) {
                       update reply {
                               Tunnel-Type:1 := 13
                               Tunnel-Medium-Type:1 := 6
                               Tunnel-Private-Group-Id:1 := 3
                       }
                }
if (control:Ldap-UserDn =~ /OU=Student/) {
                       update reply {
                               Tunnel-Type:1 := 13
                               Tunnel-Medium-Type:1 := 6
                               Tunnel-Private-Group-Id:1 := 4
                       }
               }

 
I notice you can define this in the users file, but I'm not sure if I got the syntax right. 
 
Should it be -- >Ldap-Group == "CN=Student", which doesn't work either or am I doing something wrong here? How do I lookup the group they are in using ldap-group? or do I use Ldap-UserDn ?
 
Thanks
 
 
Here is my users file config:
DEFAULT Ldap-Group == "OU=Student", NAS-Port-Type ==19
        Tunnel-Type := 13,
        Tunnel-Medium-Type := 6,
        Tunnel-Private-Group-ID := 93,
        Fall-Through := No
DEFAULT Ldap-Group == "OU=Student"
        Tunnel-Type := 13,
        Tunnel-Medium-Type := 6,
        Tunnel-Private-Group-ID := 4,
        Fall-Through := No
DEFAULT Ldap-Group == "OU=Staff", NAS-Port-Type ==19
        Tunnel-Type := 13,
        Tunnel-Medium-Type := 6,
        Tunnel-Private-Group-ID := 94,
        Fall-Through := No
DEFAULT Ldap-Group == "OU=Staff"
        Tunnel-Type := 13,
        Tunnel-Medium-Type := 6,
        Tunnel-Private-Group-ID := 4,
        Fall-Through := No

 
 
 
Here is my Ldap config, if anyone decides to try ldap to AD:

 ldap {
        server = "xxx.xxx.xxx"
        identity = "cn=xxxxx,cn=Users,dc=lcs,dc=on,dc=ca"
        password = "xxxxxxx" 
        basedn = "dc=xxx,dc=xxx,dc=xxx"
        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" 
        groupmembership_attribute = memberOf
        ldap_connections_number = 5
        timeout = 40
        timelimit = 30
        net_timeout = 10
        tls {
                start_tls = no

        }

        dictionary_mapping = ${confdir}/ldap.attrmap

        edir_account_policy_check = no
         groupname_attribute = cn
         groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
         groupmembership_attribute = memberOf

        chase_referrals = yes
        rebind = yes

        ldap_debug = 0x0028 
        keepalive {
                idle = 60
                probes = 3
                interval = 3
        }
}
 
 
Date: Mon, 8 Sep 2014 09:39:02 +0100
Subject: Re: Freeradius-Users Digest, Vol 113, Issue 26
From: ruyrybeyro at gmail.com
To: freeradius-users at lists.freeradius.org


Hi Felix,
The best approach is to use the LDAP groups to select your VLAN. As you are starting, I would also advise to upgrade to 2.2.5 or better yet, version 3.It would be better too, if you create a group for Wifi access instead of using the administrator group.
You can select write the logic for the VLAN in the users file, or with unlang, if you search the arquive list you will find plenty of examples.
Taken from the end of my post-auth, inner-tunnel. I still advise you to peruse the arquive, to understand it better.
	if ( Ldap-Group == "staff" ) {		if (!(Operator-Name)) {                       update reply {               			User-Name  := "%{request:User-Name}"                		Service-Type := "Framed-User"                		Framed-MTU := 1300                		Tunnel-Type := VLAN                		Tunnel-Medium-Type := IEEE-802                               	Tunnel-Private-Group-Id := "7"                                  	Reply-Message := "staff VLAN"                       }		}	}	elsif ( Ldap-Group == "student" ) {		if (!(Operator-Name)) {                       update reply {               			User-Name  := "%{request:User-Name}"                		Service-Type := "Framed-User"                		Framed-MTU := 1300                		Tunnel-Type := VLAN                		Tunnel-Medium-Type := IEEE-802                            	Tunnel-Private-Group-Id := "9"                               	Reply-Message := "student VLAN"                       }		}	}	else {		reject	}
Regards,Rui RibeiroSenior SysadmISCTE-IULhttps://www.linkedin.com/pub/rui-ribeiro/16/ab8/434





Message: 2

Date: Mon, 8 Sep 2014 04:14:31 -0400

From: Lord Felix <felix107 at msn.com>

To: "freeradius-users at lists.freeradius.org"

        <freeradius-users at lists.freeradius.org>

Subject: How-To for setting up ldap for Active Directory

Message-ID: <BAY172-W14882D57281A381E1D91438DC10 at phx.gbl>

Content-Type: text/plain; charset="iso-8859-1"



Hi Everyone,



I'm new to freeRadius and I've been reading some of the mailing list e-mails.



I've got freeRadius with Cento 6 which is version 2.1.12 installed.



So I've followed the instructions for getting freeRadius working ntlm_auth with Windows 2012 Active Directory, based on the link below:

http://deployingradius.com/documents/configuration/active_directory.html



Everything works great!



The only issue is now I need Dynamic Vlan working and I also need to look up mac address via from a mssql database to validate the user to allow access to the network.



After reading more about ntlm_auth, it will only respond to true or false and this method  doesn't really help with want I want to accomplish.



What I need to do is based on what group the user belongs to, they are assigned to that specific vlan. i.e. if you are a staff you go to VLAN 7 and if you are a student you go to vlan 9.



Is there any How-To guide for setting up ldap for Active Directory just like the link above?



I've tried to setup the ldap module and I'm running into issues.



This is how my ldap config looks like:



ldap {

        server = "xxx.xxx.xxx"

        basedn = "dc=xxx,dc=xxx,dc=xxx"

        filter = (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))

        groupmembership_attribute = "Administrators"

        ldap_connections_number = 5

        timeout = 40

        timelimit = 30

        net_timeout = 10

        tls {

                start_tls = no

        }

       dictionary_mapping = ${confdir}/ldap.attrmap

        edir_account_policy_check = no

         groupname_attribute = cn

         groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"

         groupmembership_attribute = memberOf

        chase_referrals = yes

        rebind = yes

        ldap_debug = 0x0028

        keepalive {

                idle = 60

                probes = 3

                interval = 3

        }

}





Here is my debug info, and I know it's not working, because I don't even see it trying to contact the radius server, which is why I'm asking if there is quick HowTo:

rad_recv: Access-Request packet from host 127.0.0.1 port 33583, id=125, length=74

        User-Name = "xxxxxxx"

        User-Password = "xxxxxxx"

        NAS-IP-Address = xx.xx.xxxx

        NAS-Port = 0

        Message-Authenticator = 0x1c451a3ee1cd4caabec9e764c4006d2b

# Executing section authorize from file /etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "xxxxxx", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[files] returns noop

[sql]   expand: %{User-Name} -> xxxx

[sql] sql_set_user escaped user --> 'xxxxxx'

rlm_sql (sql): Reserving sql socket id: 3

[sql]   expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'username' ORDER BY id

[sql]   expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'xxxxxx' ORDER BY priority

rlm_sql (sql): Released sql socket id: 3

[sql] User username not found

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

Failed to authenticate the user.

Using Post-Auth-Type Reject

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> xxxxx

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 1 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 1

Sending Access-Reject of id 125 to 127.0.0.1 port 33583

Waking up in 4.9 seconds.

Cleaning up request 1 ID 125 with timestamp +2007

Ready to process requests.





Someone also posted that they can get ntlm_auth working with groups and you need to chat the stuff around? It would be great if someone can provide a how on this to work with dynamic vlan.



Any help would be greatly appreciated.



Thanks



-----

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 		 	   		  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140909/d45fe0ac/attachment-0001.html>


More information about the Freeradius-Users mailing list