VLAN Post Auth

Alan DeKok aland at deployingradius.com
Wed Apr 19 13:26:50 CEST 2017

On Apr 19, 2017, at 6:44 AM, Richard Laing <richard.laing at armourcomms.com> wrote:
> Hi there I am looking for help with setting up post authentication VLAN's with LDAP groups enabled, at present I have made a test environment and I attempting to have the groups from the LDAP server act as the determine factor in which VLAN is assigned.

  That should be straightforward.

> I have the connection to the LDAP server working and I can look up users inside the schema and them authenticated correctly at present, however once I try to place multiple VLAN's into the users file I am unable to have the post auth work,

  "it doesn't work" is not a good description.

  Please describe what, *exactly* happens, and what you *expect* to happen.

> If you require any more information please let me know and I will respond appropriately, thank you for your time.
> /etc/raddb/users
> DEFAULT Ldap-Group == "cn=freeradius,cn=groups,cn=accounts,dc=acskpye,dc=com"
>        Tunnel-Type = VLAN,
>        Tunnel-Medium-Type = "IEEE-802",
>        Tunnel-Private-Group-Id = "11"
> DEFAULT Ldap-Group == "cn=ops,cn=groups,cn=accounts,dc=acskype,dc=com"
>        Tunnel-Type = VLAN,
>        Tunnel-Medium-Type = "IEEE-802",
>        Tunnel-Private-Group-Id = "12"

  That's all fine... except that if the first DEFAULT doesn't match, FreeRADIUS doesn't go through and check the second one.  This is documented in the "man users" manual page.

> FreeRADIUS Version 3.0.4 installed onto CentOS 7

  You should really upgrade to a version released in the last 5 years.

> rlm_ldap (ldap): Reserved connection (4)
> (0)  ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (0)  ldap :    --> (uid=richardl)
> (0)  ldap : EXPAND dc=acskype,dc=com
> (0)  ldap :    --> dc=acskype,dc=com
> (0)  ldap : Performing search in 'dc=acskype,dc=com' with filter '(uid=richardl)', scope 'sub'
> (0)  ldap : Waiting for search result...
> (0)  ldap : User object found at DN "uid=richardl,cn=users,cn=compat,dc=acskype,dc=com"
> (0)  ldap : Processing user attributes
> (0)  WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute

  That's at least one other reason why the user is getting rejected.  You can only put users into VLANs after they've authenticated.  You can'd to it on Access-Reject.

  Alan DeKok.

More information about the Freeradius-Users mailing list