Quantcast

Re-write Attributes based upon NAS-Port-Type and LDAP authorization response

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re-write Attributes based upon NAS-Port-Type and LDAP authorization response

Bill Carr
Hello Folks,

I've posted something similar to this in the past and my question was
answered rather tersely.   I'm hoping a little more detail will invoke
the type of kind responses I'm used to in the Open Source Community.

I've got FreeRadius on RedHat ES3 authenticating users to OpenLDAP.  

So far we've simply been authenticating users via 802.1x on Wired Switch
ports and we've now added new equipment for WIFI which requires the
RFC3580 attributes (instead of the Filter-ID we've populated in our LDAP
schema).

I believe it should be relatively simple to perform the following
check's to "re-write" my attributes for the WIFI
Gear.  I can base the decision to re-write on the NAS-Port-Type
received.  

My pseudo-code thought process is outlined below (I'm not a coder, would
never profess to be; thus my post!):

             if NAS-Port-Type == "Wireless - IEEE 802.11"
 
             then
 
                         Tunnel-Medium-Type == IEEE-802
                         Tunnel-Type == VLAN
 
                         if Filter-ID =~ "Internet-Restricted"
 
                                     then Tunnel-Private-Group-ID == 155
        (or the Restricted VLANID)
 
                         elseif Filter-ID =~ "Allow-All"
 
                                     then Tunnel-Private-Group-ID == 156
        (or the Allowed VLANID).
 
                         endif

                endif

My reading thus far has lead me to test my reply attribute requirements
from the "users" file and that works perfectly.   If someone could point
me in a simple direction on how to strip/rewrite the attributes based on
the 'authorization' reply from LDAP, I'd be indebted.  I've seen
examples of profiles stored on LDAP, but I'm curious how I could choose
a different profile based upon the "NAS-Port-Type" received in the
Access-Request


Here's what I did in the "users" file to test successfully (I don't know
that it's of any value but to demonstrate what I'm trying to
accomplish).

testuser User-Password == "user", NAS-Port-Type ==
"Wireless-802.11"
                Tunnel-Medium-Type == "IEEE-802",
                Tunnel-Type == "VLAN",
                Tunnel-Private-Group-Id == "155"

testuser User-Password == "user", NAS-Port-Type ==
"Ethernet"
                Filter-ID ==
"Enterasys:version=1:policy=Internet-Restricted"


admin User-Password == "admin", NAS-Port-Type ==
"Wireless-802.11"
                Tunnel-Medium-Type == "IEEE-802",
                Tunnel-Type == "VLAN",
                Tunnel-Private-Group-Id == "156"

admin User-Password == "admin", NAS-Port-Type == "Ethernet"
                Filter-ID == "Enterasys:version=1:policy=Allow-All"


Thanks to all in advance.
 
Bill



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re-write Attributes based upon NAS-Port-Type and LDAP authorization response

Alan DeKok-3
"Bill Carr" <[hidden email]> wrote:

> My pseudo-code thought process is outlined below (I'm not a coder, would
> never profess to be; thus my post!):
>
>              if NAS-Port-Type == "Wireless - IEEE 802.11"
>  
>              then
>  
>                          Tunnel-Medium-Type == IEEE-802
>                          Tunnel-Type == VLAN
>  
>                          if Filter-ID =~ "Internet-Restricted"

  That won't work.  The NAS doesn't send Filter-Id.  You've got to
configure the server to send the correct response back.

> My reading thus far has lead me to test my reply attribute requirements
> from the "users" file and that works perfectly.   If someone could point
> me in a simple direction on how to strip/rewrite the attributes based on
> the 'authorization' reply from LDAP, I'd be indebted.

  I don't see why that's necessary.  Configuring the server to do
something, then re-do what it already did as something else, is a bad
idea.  It's hard to configure, and prone to problems.

  Instead, configure the server to match on something, and send a
reply.  It's a lot easier.

>   I've seen examples of profiles stored on LDAP, but I'm curious how
> I could choose a different profile based upon the "NAS-Port-Type"
> received in the Access-Request

  You put the NAS-Port-Type into the LDAP query.  That's hwy the
queries are configurable.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...