Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id

Alan DeKok aland at deployingradius.com
Fri Dec 11 20:52:51 CET 2015


On Dec 11, 2015, at 2:18 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
> \\
> It works normally, no problem IMHO.
> Debug output from freeradius 3.0.10 :
> 
> Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: EXPAND
> (uid=%{%{Stripped-User-Name}:-%{User-Name}})

  Please use "radiusd -X" as recommend in the FAQ, "man" pages, web pages and on this list.  Adding another "-x" to get the dates doesn't help.  It makes the debug output harder to read in most cases.

  And the debug output doesn't show anything unusual.  The user is in LDAP, and is allowed to log in.

> My NAS has always the same IP when only the NAS Port-Id takes different values.
> I can only differentiate the networks my users try to reach by NAS Port-Id

  I have no idea what that means.  I don't know what equipment you're using, and I don't know your network topology.

  Please describe what you're talking about.  Are your NASes behind a NAT?  If so, say so.

> Furthermore, RFC2865 say that we shouldn't use NAS-Identifier to find
> the shared secret but we'd better deal with NAS-IP Address.

  No.  The *source IP* of the packet is used to determine the shared secret.  The NAS-IP-Address is informational, but has minimal meaning.

> Is this the same with NAS-Port Id?
> Should I take care of that ?

  Define what you mean "take care of that" ?

> Ok, so I can write things like :
> 
> user {
> 
>    filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(accessNetwork=%{request:NAS-Port-Id}))"

  Yes that should work.

  Alan DeKok.




More information about the Freeradius-Users mailing list