VLan affect based on ldap attribute freeradius v3

Alan DeKok aland at deployingradius.com
Fri Aug 31 14:59:52 CEST 2018 

> On Aug 31, 2018, at 4:45 AM, jehan procaccia INT <jehan.procaccia at int-evry.fr> wrote:
> 
> unfortunatly it fails, User-Category attribute fetch from ldap
> edupersonPrimaryAffiliation  doesn't pass though different
> states/modules apparently

  Yes, it does.  You should be able to tell what's going on by reading the debug output.  *Or* by posting the ENTIRE debug output here, and letting someone else read it.

  You're falling into a common trap.  You're trying all kinds of random things.  Without really understanding what's going on, or why.  You're posting *small* bits of the debug output, in the hope that those bits are useful.

  They're not.

  Post the FULL DEBUG OUTPUT.

  And make sure it's for ONE USER.  We're not going to read through thousands of lines of logs about accounting packets, in order to solve an authentication issue.

> even with the usage of session-state (replacing "reply")  it fails
> 
> here's a new radiusd -X experiment :
> 
> 1) ldap does find the attribute and associated value (here employee)
> 
> rlm_ldap (prod): Reserved connection (7)
> (93) prod: reply:Reply-Message := 'employee'
> (93) prod: reply:User-Category += 'employee'
> 
> 2) eap-peap has it
> 
> (93)     post-auth {
> (93)       if (0) {
> (93)       if (0)  -> FALSE
> (93)     } # post-auth = noop
> (93)   Login OK: [radu/<via Auth-Type = eap>] (from client prod port 0
> via TLS tunnel)
> (93) } # server inner-tunnel
> (93) Virtual server sending reply
> (93)   Reply-Message := "employee"
> (93)  *User-Category += "employee"*
> (93) eap_peap: Got tunneled reply code 2
> (93) eap_peap:   Reply-Message := "employee"
> (93) eap_peap:  *User-Category += "employee"*

  Note that's all in packet 93.  AND in the "inner tunnel" virtual server.

> 3) eap_peap is success
> 
> (94)*eap_peap: Success*

  Which is packet 94.  Note that "94" is NOT THE SAME as "93".

  i.e. it's a different packet.  So unless you made sure to get the attribute from packet 93 inner tunnel reply to packet 94 outer reply... the attribute won't be in packet 94.

> should I see something like &reply:User-Category above

  No.

>  ? not been
> present means it's already lost ? 

  It hasn't been lost.

  All you need to do is read mods-available/eap, and set "use_tunneled_reply = yes".  And read the comments for that configuration item.  They explain what it is, why you need it, and when you want to use it.

  Alan DeKok.

More information about the Freeradius-Users mailing list