Machine auth LDAP group checking

Dave Aldwinckle daldwinc at uwaterloo.ca
Thu Jul 14 18:20:15 CEST 2016 

Hi All,

I've just successfully configured machine authentication with PEAP.

As a final step, I am trying to assign a specific VLAN ID in 
sites-enabled/default post-auth.

The problem I am having is that when I try to use the attribute 
"ldap.host-LDAP-Group", the LDAP search does not run. If I use 
"LDAP-Group" the search runs, but the group is not found due to a 
difference in the filter.

I've configured a second instance of the ldap module like so:

ldap ldap.host {
...
}

Then in sites-enabled/default:

post-auth {

ldap #uncommented

if (ldap.host-LDAP-Group == "uw-WiFi-Managed") {
     update reply {
         Aruba-User-Vlan := 1025
        }
}

I can see that ldap.host-LDAP-Group is created when the server starts, 
so I know I'm checking the right attribute.

Examples:

Using ldap.host-LDAP-Group

(9)   post-auth {
(9)     update {
(9)       No attributes updated
(9)     } # update = noop
(9)     [ldap.host] = noop
(9)     [exec] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)     if (&Realm == "uwaterloo.ca" ) {
(9)     if (&Realm == "uwaterloo.ca" )  -> FALSE
(9)     if (&Realm == "host") {
(9)     if (&Realm == "host")  -> TRUE
(9)     if (&Realm == "host")  {
(9)       if (ldap.host-LDAP-Group == "uw-WiFi-Managed") {
(9)       if (ldap.host-LDAP-Group == "uw-WiFi-Managed")  -> FALSE
(9)     } # if (&Realm == "host")  = noop
(9)   } # post-auth = noop
(9) Login OK: [host/machine1

Using LDAP-Group

(9)   post-auth {
(9)     update {
(9)       No attributes updated
(9)     } # update = noop
(9)     [ldap.host] = noop
(9)     [exec] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)     if (&Realm == "uwaterloo.ca" ) {
(9)     if (&Realm == "uwaterloo.ca" )  -> FALSE
(9)     if (&Realm == "host") {
(9)     if (&Realm == "host")  -> TRUE
(9)     if (&Realm == "host")  {
(9)       if (LDAP-Group == "uw-WiFi-Managed") {
(9)       Searching for user in group "uw-WiFi-Managed"
rlm_ldap (ldap): Reserved connection (0)
(9)       EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(9)          --> (samaccountname=machine1)
(9)       Performing search in "OU=People,dc=domain,dc=uwaterloo,dc=ca" 
with filter "(samaccountname=machine1)", scope "sub"
(9)       Waiting for search result...
(9)       Search returned no results
rlm_ldap (ldap): Released connection (0)
(9)       if (LDAP-Group == "uw-WiFi-Managed")  -> FALSE
(9)     } # if (&Realm == "host")  = noop
(9)   } # post-auth = noop
(9) Login OK: [host/machine1

-- 
Dave Aldwinckle
Network Services
Information Systems & Technology
University of Waterloo
(519)-888-4567, x41145

More information about the Freeradius-Users mailing list