VLan affect based on ldap attribute freeradius v3
jehan procaccia INT
jehan.procaccia at int-evry.fr
Thu Aug 30 19:06:48 CEST 2018
Hello
In our eduroam configuration I want to assign a vlan to users based on
edupersonPrimaryAffiliation ldap attribute of the user
unfortunatly , my affectation doesn't match the attribute apparently ,
Here's what I did :
1) I did mapped the attribute in mods-available/ldap
ldap prod {
server = 'ldap.ourdomain.eu'
...
update {
control:Password-With-Header += 'userPassword'
control:NT-Password += 'sambaNtPassword'
# reply:Reply-Message := 'radiusReplyMessage'
reply:Reply-Message :=
'eduPersonPrimaryAffiliation'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID :=
'radiusTunnelPrivategroupId'
# reply:User-Category +=
'eduPersonPrimaryAffiliation'
* reply:User-Category +=
'eduPersonPrimaryAffiliation'*
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
# reply: += 'radiusReplyAttribute'
}
2) running radiusd -X I do see the ldap query and attribute returned
correclty
rlm_ldap (prod): Reserved connection (3)
(41) prod: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(41) prod: --> (uid=teststud)
...
(41) prod: Processing user attributes
(41) prod: control:Password-With-Header += '{CRYPT}secretaoSOObH1'
(41) prod: control:NT-Password += secret3735323731
(41) prod: reply:Reply-Message := 'faculty'
(41) prod: reply:*User-Category += 'faculty'*
rlm_ldap (prod): Released connection (3)
(41) [prod] = updated
3) but later from sites-available/default on the post-auth where I check
the attribute value in order to affect Vlan to users :
post-auth {
$INCLUDE ../vlanaffect.conf
vlanaffect.conf containing :
* if (*( reply:UserCategory == "employee") ||
(reply:*UserCategory == "faculty"*) || (reply:UserCategory == "staff" )
|| (reply:UserCategory == "researcher") || (reply:UserCategory ==
"member")) {
update reply {
Tunnel-Private-Group-Id :=*903*
}
when that part of the config is processed by the server, it fails to
match here in that case the /if ((//reply:UserCategory == "faculty")/ !?
so it default (else) to our 902 vlan ID :
(42) if (( reply:UserCategory == "employee") ||
(reply:UserCategory == "faculty") || (reply:UserCategory == "staff" ) ||
(reply:UserCategory == "researcher") || (reply:UserCategory ==
"member")) -> FALSE
(42) elsif ( (reply:UserCategory == "student" ) ||
(reply:UserCategory == "affiliate") ) {
(42) elsif ( (reply:UserCategory == "student" ) ||
(reply:UserCategory == "affiliate") ) *-> FALSE*
(42) else {
(42) update reply {
(42) Tunnel-Private-Group-Id *:= 902*
it is as if the User-Category value (or attribute itself) is not known
at this stage .
is there a way to print the value of the an attribute to check it's
*name* and*value* ?
I am confused by the attribute name itself, you might have noticed in my
vlanaffect.conf I use UserCategory but in ldap module it is named
User*-*Category (note the - between User and Category) ! It is so
because if in vlanaffect.conf I name it occordingly to ldap module
(User*-*Category) strangely I get Errors in runing radiusd -X :
(34) if (( reply:User-Category == "employee") ||
(reply:User-Category == "faculty") || (reply:User-Category == "staff" )
|| (reply:User-Category == "researcher") || (reply:User-Category ==
"member")) {
(34) *ERROR: Failed retrieving values required to evaluate condition*
(34) elsif ( (reply:User-Category == "student" ) ||
(reply:User-Category == "affiliate") ) {
(34) ERROR: Failed retrieving values required to evaluate condition
(34) else {
(34) update reply {
(34) Tunnel-Private-Group-Id := 902
there might be a mistake somewhere, but I cannot figure out where , how
can I debug ldap / radius attribute name/values matchs ?
Thanks for your help .
PS: I run :
# rpm -qa | grep radius
freeradius-ldap-3.0.13-8.el7_4.x86_64
freeradius-3.0.13-8.el7_4.x86_64
freeradius-utils-3.0.13-8.el7_4.x86_64
More information about the Freeradius-Users
mailing list