[email protected] a écrit : >> Here is one policy that I wish to make work. >> >> 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis >> configuration on the switch) >> --> this client has some of the following LDAP attributes: >> uid = bobalice >> radiusTunnelPrivateGroupID = 20 >> radiusTunnelType = VLAN >> radiusMediumType = IEEE-802 >> radiusCallingStationId = 00-21-42-42-87-b1 >> radiusUserCategory = ADMIN >> 2- Fisrt I want to checkthe following attributes, and if not correct, >> reject the user: >> radiusTunnelType = VLAN >> radiusMediumType = IEEE-802 >> > > Are those two attributes in the access request? If they are, map them as > check items in ldap.attrmap. > > >> radiusCallingStationId = 00-21-42-42-87-b1 >> > > This is already in ldap.attrmap. > > >> radiusUserCategory = ADMIN >> > > Where is that suposed to come from? > > >> 3- Then I want to authenticate and authorise the user if login/password >> are correct >> > > Fine. Nothing to do. > > >> 4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based >> on this attribute: >> radiusTunnelPrivateGroupID = 20 >> > > Map that as reply item in ldap.attrmap. You will need tunnel and medium > type in the reply as well. So add them too. > > Ivan Kalik > Kalik Informatika ISP > > Here is the content of a packet received by radiusd: rad_recv: Access-Request packet from host 10.1.1.2 port 1692, id=171, length=302 Framed-MTU = 1480 NAS-IP-Address = 10.1.1.2 NAS-Identifier = "Test Switch " User-Name = "bobalice" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "20" Called-Station-Id = "00-11-f3-1d-5d-00" Calling-Station-Id = "00-14-b2-7a-87-b4" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xff747043ff76690706eed2dfa8b93b90 EAP-Message = 0x0202005019800981004616030100410100003d030149dce2350a464fb33bb5333ee36c942769f84056fcb49ef5371ee91f0503103800001600040005000a000990640062000300060013001200630100 Message-Authenticator = 0xec90edc178afb509db4131a36bfe42fe
Futhermore, to reply to Alan about the radiusUserCategory, it is given with the radius.schema for ldap. Is it a useless attribute then? I'll be checking this afternoon and testing about putting more info in ldap.attrmap to see if the filters work. I let you know. Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
