[EMAIL PROTECTED] wrote:
We'd like to setup the following:
A workstation is booted, the supplicant asks for the credentials, the cisco
switch pa
sses the credentials to a freeradius server, freeradius authenticates the user to an
edirectory ldap server, freeradius decides which Tunnel-Private-Group-Id to send bac
k to the switch to place the user into the correct VLAN.
The authentication/authorization works fine. The cisco switch accepts the
returned VL
AN info if we 'hard code it into the users files such as with:
DEFAULT
Tunnel-Private-Group-ID:1 := 901
Tunnel-Type:1 = VLAN,
Tunnel-Medium-Type:1 = IEEE-802
We attempted to make the configuration more generic by setting
Tunnel-Private-Group-I
D equal to an LDAP attribute in ldap.attrmap. This would automatically associate the
VLAN ID w/ the user.
replyItem Tunnel-Private-Group-ID ourldapattribforthevlan
That didn't work because freeradius wasn't associating a tag with the
attribute(or wa
s setting it to zero when responding to the switch. A wireshark capture
confirmed the
0 tag. We attempted to add a :1 after Tunnel-Private-Group-ID, but that didn't
pan o
ut either.
We then attempted to use unlang in the users file to accomplish the same thing.
(Tunn
unlang doesn't live in the users file; it lives in the config file, like so:
server {
authorize {
preprocess
ldap
update reply {
Tunnel-Private-Group-Id:1 := "%{reply:Tunnel-Client-Endpoint}"
}
}
}
el-Client-Endpoint was added to ldap.attrmap as dummy variable to hold the
'ourldapat
tribforthevlan' from LDAP)
DEFAULT
Tunnel-Private-Group-ID:1 := `%{reply:Tunnel-Client-Endpoint}`,
Tunnel-Type:1 = VLAN,
Tunnel-Medium-Type:1 = IEEE-802
This isn't "unlang" - it's just a plain "files" module entry.
With this configuration, we tried countless combinations of backticks, single
quotes,
and double quotes. The best response we could send back to the switch was:
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = ""
It looks to me like the "files" module was running before the "ldap" module.
Has anyone else come across the issue with Cisco not dealing w/ 0 tags? Is
there a wa
I have not. RFC2868 seems pretty clear that a "0" tag is permitted. I've
used vlan assignment with a cisco (formarly Airespace) WISM and it will
take a "0" tag.
What platform & IOS version are you on?
y to use unlang to pull in the variables to be used in the users file?
As I say, unlang doesn't run in the users file - think of it as
conditional branching and so forth for the config file.
Thank you for taking the time to read this. After a couple of days of
searching, we s
till haven't come up w/ the correct search terms for google.
Thank you,
Mike Coles
--
This message was sent on behalf of [EMAIL PROTECTED] at openSubscriber.com
http://www.opensubscriber.com/messages/[email protected]/topic.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
