Uses of Active directory User's attribute

Luc Paulin paulinster at gmail.com
Thu Feb 28 15:42:45 CET 2019 

For anyone who may lookup for that kind of information, I dig a bit more
and base ont he following thread (
http://lists.freeradius.org/pipermail/freeradius-users/2016-August/084450.html)
I manage to make it working.
So here's what I did...

Create another server instance file for ldap

ldap ldap_get_department {
        server = "myserver.example.com"
port = 389
        identity = "radius at myserver.example.com"
        password = "password"
        base_dn = "DC=domain,DC=example,DC=com"

        update {
            reply:department                := 'department'
        }

        user {
                base_dn = "${..base_dn}"
                filter =
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{%{Stripped-User-Name}:-%{mschap:User-Name}}:-%{User-Name}}))"
        }
options {
chase_referrals = yes
rebind = yes
}
}

In the inner tunnel post-auth section, I did enable that part..
if (1) {
    update reply {
        User-Name !* ANY
        Message-Authenticator !* ANY
        EAP-Message !* ANY
        Proxy-State !* ANY
        MS-MPPE-Encryption-Types !* ANY
        MS-MPPE-Encryption-Policy !* ANY
        MS-MPPE-Send-Key !* ANY
        MS-MPPE-Recv-Key !* ANY
    }

Also added the ldap_get_department module wihtin the authorize portion of
inner-tunnel

And in the post-auth of the default server added the check for attribute
  if ("%{toupper:%{session-state:department}}" == "IT/DEV") {
    if ("%{toupper:%{Ldap-Group}}" == "VLAN_MTL_ADMIN") {
      update reply {
        Tunnel-Private-Group-Id := 149
      }
    } else {
      update reply {
        Tunnel-Private-Group-Id := 143
      }
    }
  }



--
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster



Le jeu. 21 févr. 2019, à 10 h 41, Luc Paulin <paulinster at gmail.com> a
écrit :

> Hi List,
>
> I was wondering if it would be possible to use the Active Directory user's
> attributes. As we're standardizing our AD, all user should have the
> Department attribute field fill. So instead of using AD groups to
> dynamically assign vlan, I was thinking to use that field instead. Would
> that be something possible?
>
> Thanx!
>
> --
>                          !!!!!
>                        ( o o )
>  --------------oOO----(_)----OOo--------------
>    Luc Paulin
>    email: paulinster(at)gmail.com
>    Skype: paulinster
>
>

More information about the Freeradius-Users mailing list