Re: Authorization with Active Directory

Thu, 26 Jan 2012 08:46:55 -0800 

On 01/26/2012 02:41 PM, suggestme wrote:


## I tried using Called-Station-Id to check the condition; which is ok for
now for testing ; but which I guess is not feasible if there are thousands
of NAS devices. I don't know what would be best test condition for this.



There are many options. You could match on Client-Shortname with the 
following client def:


client VPN-1 {
  ipaddr = 192.0.2.1
  secret = ...
}

...and then in authorize:

authorize {
  ...
  if (Client-Shortname =~ /^VPN/) {
   ..
  }
}

Or use Huntgroup-Name and huntgroups.



But now I am facing the problem that I can't use more than one If conditions
inside unlang to test the conditions inside Ldap module. (If I am correct on
my understanding)


Sorry, I don't understand what you mean here.



And, also using the filter defined as above inside Ldap module some user of
active directory which doesn't have extensionAttribute10 might get rejected.
These users should get default acceptance; but should be granted to access
VPN, or wifi if value is assigned to them on extensionAttribute10. If don't
have attribute defined still get accepted as default user.



Well, you need to write your LDAP filter correctly. I suggest you read 
the LDAP filter syntax.



Another option, which you've almost figured out, is to pull the data 
from LDAP then do the decisions in unlang.



Is there any easy way to check condition for the particular attribute of
active directory? And I don't know where to check this, If I am already
using If conditional statement for returning the Filter-Id inside Ldap
module.

In my understanding; people use to check this type of condition for the
users that are defined in "users" file as;

bob         User-Password == "testing", Connection-Type := "VPN"

But I am not sure how to check like this eventhough If I define in
ldap.attrmap as:

checkItem       Connection-Type                    extensionAttribute10


Ok, several steps:

 1. Define your attribute in /etc/raddb/dictionary e.g.

ATTRIBUTE       My-Extension10  3010    string

 2. Define the LDAP -> RADIUS mapping in ldap.attrmap

checkItem       My-Extension10  extensionAttribute10


 3. Run the LDAP module, then compare the attribute. Note - because 
you've mapped the item to check/control lists, you can't use a "users" 
file - you must use unlang, like so:


authorize {
  ...
  ldap
  if (My-Extension10 == VPN) {
    ..
  }
}

...or more likely:

authorize {
  ..
  ldap
  if (Client-Shortname =~ /^VPN/) {
    if (My-Extension10 == VPN) {
      # permit
    }
    else {
      reject
    }
  }
  ...
}

HTH
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to