Questions about ldap authentication, huntgroup and authorize file

Jérôme BERTHIER Jerome.Berthier at inria.fr
Mon Oct 9 16:29:26 CEST 2017 

Hi,

I'm moving a setup from freeradius 2 (CentOS 6) to freeradius 3 (CentOS 7).

The server is hosting :

- a backend to authenticate users on Wifi 802.1X TTLS-PAP (openldap) and 
PEAP-MSCHAPv2 (Active Directory)

- a backend to authenticate users on network equipment for admin purpose


We use several ldap instances described in the ldap module.

Our openldap server does not permit to read password. We use anonymous 
binding to run the authentication process.

So, auth-type := <ldap_instance> is setted by ldap module file in each 
ldap instance : set_auth_type = yes


Network equipements are grouped in the file huntgroup to apply a 
specific policy by using filters on huntgroup and ldap group in the file 
users.

The filter replies differents vendor specific attributes for each ldap 
group and finally, we reject the authentication if there is no match.

For example, for devices from Juniper, we use this setup :

DEFAULT         Ldap-Group==ldap_group_1,Huntgroup-Name == JuniperNet
             Service-Type = Login,
             Juniper-Local-User-Name := "radius-admin"
DEFAULT         Ldap-Group==ldap_group_2,Huntgroup-Name == JuniperNet
             Service-Type = Login,
             Juniper-Local-User-Name := "radius-operator"
DEFAULT        Auth-Type := Reject,Huntgroup-Name == JuniperNet


I took care of the file README.rst.

I had also a look to the documentation page about ldap module : 
http://wiki.freeradius.org/modules/Rlm_ldap

I still have few questions :

1) I notice that the variable Ldap-Group is no more set by the last ldap 
instance called. So, I corrected my config to describe the default 
instance ldap {}. It works but is it planned to be able to call another 
instance in the file authorize ?

2) Since the module ldap does not set auth-type := ldap anymore, I add 
the lines to the configuration of the site where needed :

         if ((ok || updated) && User-Password) {
                 update {
                         control:Auth-Type := ldap
                 }
         }

Is it correct ?

3) Is it correct to use the file authorize to apply filters like we do ? 
or, shall we do it in the post auth section (it could be innacurate if 
we need to reject the access) ?


Thanks you for your help


Regards,

-- 
Jérôme BERTHIER

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3670 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171009/efe9d957/attachment.bin>

More information about the Freeradius-Users mailing list