[802.1x] FreeRADIUS OpenLDAP

Hello,

I'm actually trying to set up network authentication with FreeRADIUS and
OpenLDAP.

I'm trying to provide a VLAN depending on the users group. It actually
works if I set the *Tunnel-Private-Group-Id* attribute on my user but I'd
love to set a Group ID on my group object in LDAP only.
FreeRADIUS won't take the Group ID when it's set in *Tunnel-Private-Group-Id*
attribute on the group object.

Do you have any idea how I can get this to work?

Thank you so much for your help

Kind regards.

--
Christian VAN DER ZWAARD
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Jan 28, 2021, at 10:06 AM, Christian VAN DER ZWAARD via Freeradius-Users <[hidden email]> wrote:
>
> I'm actually trying to set up network authentication with FreeRADIUS and
> OpenLDAP.
>
> I'm trying to provide a VLAN depending on the users group. It actually
> works if I set the *Tunnel-Private-Group-Id* attribute on my user but I'd
> love to set a Group ID on my group object in LDAP only.
> FreeRADIUS won't take the Group ID when it's set in *Tunnel-Private-Group-Id*
> attribute on the group object.

  What does that mean?

> Do you have any idea how I can get this to work?

  If only there was some kind of debug output which let you know *exactly* what was going on...

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

It means FreeRADIUS does not look for the Group id in the right place.

It's not a bug or anything, I just don't know how to tell FreeRADIUS to get
the Tunnel-Private-Group-Id from the users group.

Kind regards.

--
Christian VAN DER ZWAARD


Le jeu. 28 janv. 2021 à 16:14, Alan DeKok <[hidden email]> a
écrit :
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Jan 28, 2021, at 10:21 AM, Christian VAN DER ZWAARD via Freeradius-Users <[hidden email]> wrote:
>
> It means FreeRADIUS does not look for the Group id in the right place.

  I still have no idea what that means.

  FreeRADIUS doesn't "look for" anything.  It runs specific modules, which do specific things.

> It's not a bug or anything, I just don't know how to tell FreeRADIUS to get
> the Tunnel-Private-Group-Id from the users group.

 So... you're not going to tell us where in the LDAP hierarchy the users group is defined.  You're not going to give any useful information.  You just repeat what you said in the previous message.

  Computers don't work on "I want to do stuff".

  Do you have an LDAP query (i.e. using ldapsearch) which returns the users group?  If so, what is it?

  Once you have an LDAP query, it's trivial to add that to the FreeRADIUS configuration.

  The user may be a member of *multiple* groups, too.  Which one are you going to select for assigning to Tunnel-Private-Group-Id?

  Just... details matter.  I can't for the life of me see why it's useful to say "I want to do stuff", with no more information than that.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On 28.01.21 16:21, Christian VAN DER ZWAARD via Freeradius-Users wrote:

Hi,


not exactly your use case, but perhaps you find inspiration in my blog:

https://blog.sys4.de/strongswan-vpn-based-on-groups-en.html


Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html