Dynamic Vlan Assignment Active Directory with winbind

Kevin Virk Kevin.Virk at faithlife.com
Thu Aug 16 17:55:53 CEST 2018 

Thank you for the help!


From: Freeradius-Users <freeradius-users-bounces+kevin.virk=faithlife.com at lists.freeradius.org> on behalf of freeradius-users-request at lists.freeradius.org  <freeradius-users-request at lists.freeradius.org>
Sent: Thursday, August 16, 2018 3:00 AM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 160, Issue 27
  
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

1. Re: Dynamic Vlan Assignment Active Directory with winbind
EAP-TLS 802.1x (Matthew Newton)
2. Re: I need to disconnect users (Brian Julin)
3. Apache with mod_auth_radius starts X requests (Carsten Schulze)


----------------------------------------------------------------------

Message: 1
Date: Wed, 15 Aug 2018 18:37:29 +0100
From: Matthew Newton <mcn at freeradius.org>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Dynamic Vlan Assignment Active Directory with winbind
EAP-TLS 802.1x
Message-ID: <1534354649.5024.21.camel at freeradius.org>
Content-Type: text/plain; charset="UTF-8"

On Wed, 2018-08-15 at 17:28 +0000, Kevin Virk wrote:
> I came across this thread in my search for answers
>  http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-11-and-
> Winbind-td5743424.html and it is stating that winbind is not the
> preferred method for dynamic vlan assignment. This thread is about
> two years old so I was hoping if anyone could answer if this was
> still the case.

It's still the same.

> I am using FreeRADIUS Version 2.2.8. As this was what was downloaded
> using the deb package on Ubuntu 16.04.

2.2.8 is obsolete. You should upgrade to 3.0.17. Or at least 2.2.10
(which is still obsolete).

> The setup I am hoping to achieve is EAP-TLS 802.1x that can
> dynamically assign vlans to users based off active directory
> information and has the ability to revoke certs and check active
> directory for disabled accounts and not allow them to auth. Is this
> possible?

Yes.

As you want EAP-TLS you don't need winbind.

Still use LDAP to get data about the user from AD.

-- 
Matthew



------------------------------

Message: 2
Date: Wed, 15 Aug 2018 17:43:35 +0000
From: Brian Julin <BJulin at clarku.edu>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: I need to disconnect users
Message-ID:
<BN7PR03MB376278619C1874D45813909CB43F0 at BN7PR03MB3762.namprd03.prod.outlook.com>

Content-Type: text/plain; charset="iso-8859-1"


Alan DeKok <aland at deployingradius.com>
> No, that's wrong, sorry.

You were right both times... :-) I have to do the former because we use a
NAS client wildcard, and you can't originate-coa to a dynamically created
NAS last time I checked. Works fine, even at a medium volume of users.





------------------------------

Message: 3
Date: Thu, 16 Aug 2018 07:38:29 +0200
From: Carsten Schulze <carsten.schulze at leuphana.de>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Apache with mod_auth_radius starts X requests
Message-ID: <5d8a22ab-bf78-d2aa-1366-1af30135c7a0 at leuphana.de>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Hi,

I'm using Debian9 with Apache + radius_mod_auth to authenticate some 
user while accessing a directory on that server.

But that didn't work.

I can see Radius Access-Request and Access-Accepts via tcpdump, the 
probleme is, that the request never ends. I interrupted the request with 
an Apache restart after 3Minutes and 1500 Radius-Request (still running).

07:10:14.010157 IP Radius-IP.1812 > 10.19.56.57.1026: RADIUS, Access-Accept
....
07:13:27.547061 IP 10.19.56.57.1026 > Radius-IP.1812: RADIUS, 
Access-Request (1), id: 0xc2 length: 80
07:13:27.674561 IP Radius-IP.1812 > 10.19.56.57.1026: RADIUS, 
Access-Accept (2), id: 0xc2 length: 20
3000 packets captured

Any Idea about that?

I used that guid for configuration: 
https://github.com/FreeRADIUS/mod_auth_radius

P.S: I can't turn on the debug option, the server wouldn't start.

Regards
Carsten

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5565 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180816/a7eba498/attachment-0001.bin>

------------------------------

Subject: Digest Footer

-
List info/subscribe/unsubscribe? See  http://www.freeradius.org/list/users.html

------------------------------

End of Freeradius-Users Digest, Vol 160, Issue 27
*************************************************

More information about the Freeradius-Users mailing list