Active Directory Attribute not extending to device

Alan DeKok aland at deployingradius.com
Wed Jul 7 03:25:21 CEST 2021


On Jul 6, 2021, at 6:33 PM, Luke Smith <LukeS at coloradovalley.com> wrote:
> 
> I am trying to setup my Cambium radios to use my instance of freeradius, which I have working for several other network devices. I have found out from Cambium that there are 2 attributes that need to be passed along to make it work. I have added to the dictionary files the attributes.
> 
> ATTRIBUTE       Cambium-Canopy-UserLevel                50      integer                                 #Userlevel permission for the User logging in remotely
> ATTRIBUTE       Cambium-Canopy-UserMode                 51      integer                                 #UserMode  permission for the User logging in remotely(1=Read-Only 0=Read-Write)

  Which file did you add these to?

  And editing the dictionaries just defines the attributes.  It doesn't tell FreeRADIUS when to send the attributes, or what value to use.

> I have added these attributes with the appropriate integer in active directory

  I have no idea what you mean by that.  Active Directory does not store RADIUS attributes.

> , but when I try to login the attributes are not being passed along to the device. The only thing I've seen where passing the attribute along successfully is to add individual users in clients.conf

  Users are never added to the "clients.conf" file.

> but I would rather not have to manage user information in radius when I have AD doing that.
> 
> Below is the debug attempt of my login. I see a successful login, but missing the 2 attributes. What might I be missing?

  There seems to be a complete misunderstanding of how RADIUS works, and what FreeRADIUS does.

  I really can't answer any of these questions until the fundamental misunderstandings get corrected.  So start off simple:

* which file did you add the ATTRIBUTE lines to?

* did you add the attributes Cambium-Canopy-UserLevel  and Cambium-Canopy-UserMode anywhere else?

* you got ntlm_auth working to Active Directory, so that's something.  But what changes did you make to Active Directory?  i.e. you did *not* add "these attributes with the appropriate integer in active directory".  Please explain in detail what you did.

  If you ask questions like "I did stuff and it didn't work", then the only recommendation is "do different stuff".

  If you give detailed and explicit explanations of what you did, then we can explain what to fix.  These are computers... they are literal, and explicit.  They don't work on vague "I did stuff" configurations.  As a result, we can't understand vague questions, either.  That doesn't help us understand what you told the computers to do.

  Alan DeKok.




More information about the Freeradius-Users mailing list