Re: Radius+Ldap:Allow the same host in multiple vlans
Ramon Escriba wrote: Hi Alan, Then does it possible to do a general match rule in huntgroups to lets say the 35 first ports belong to a vlan A and the rest 36 to 48 to vlan B,or not? What did my message say? business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1-35 IT NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 36-48 Do I have to manually insert one by one? I've +2000 ports active, I hope do not have to ;-) There are other ways. I did a little change in huntgroups to check that: XXX NAS-IP-Address == aaa.bbb.ccc.ddd, NAS-Port == 33-50 But without success. /etc/raddb/huntgroups[77]: Parse error (check) for entry XXX: Unknown value 33-50 for attribute NAS-Port Well... I guess that doesn't work any more. Oh well. Instead, you can check: XXX NAS-IP-Address == aaa.bbb.ccc.ddd, NAS-Port = 33, NAS-Port = 50. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius+Ldap:Allow the same host in multiple vlans
Hi I'm trying to organize my net using 802.1x able switches with freeradius 2.1.1+Openldap2-2.4+OpenSuse11.1 The system is running, at least @ test level but not yet deployed, but I reach a cross road and finally I've to choose. Or having one ldap subtree per vlan, filled with all host that bellong to this one, or store inside the host attributes all vlans it's allowed or may get in. The first road it's the one I've working actually, because I don't know how to implement the second, the elegant one. I have multiple devices that may belong to multiple vlans, so I shall have duplicated hosts, which I don't like @ all. In order to keep things easy I only use mac-authentication, later 802.1x EAP wit user+pass ( EAP Mschapv2 or TTLS). The idea is to declare in one single place the vlans one host may be able to connect, from the first top priority vlan to try up to the last option.. Well, I'm using the radiusprofile attribute radiusTunnelGroupId to store the Vlan name or tag. If I set one host/user with the next vlan tag attributes: Uid=John.Cleese,ou=People,ou=Radius,xx ... radiusTunnelGroupId: 666 (Mad Scientist) radiusTunnelGroupId: 128 (Nut Engineers) radiusTunnelGroupId: 256 (Nerd IT guys) radiusTunnelGroupId: 51 ( blackhole control) ... userPassword X Or Uid=mac-address,ou=Devices,ou=Radius,xx cn: stupid.device.001 ... radiusTunnelGroupId: 666 (Mad scientist) radiusTunnelGroupId: 999 (FusionCore) ... The host/user, may have rights to connect to those vlans, from let say top prority (666) to the lesser one (51) [ldap attribute order], in the first case, and only 666 or 999 in the second. Some areas are restrited so only the ones with physical access may get connection to the right vlan. The problem is how may I configure radius so it may choose the correct vlan. Or try one and if not possible keep trying until no more choices are available. I also have hungroups, but I realized, if I'm not wrong, that freeradius only gets the first match, never tries the others, so: BlackHoleCore NAS-IP-Address == 10.0.0.1 VacuumCleaner NAS-IP-Address == 10.0.0.1 CoffeeMachine NAS-IP-Address == 10.0.0.1 When in freeradius users file I try DEFAULT Huntgroup-Name == CoffeeMachine, Auth-Type = LDAPCoffee it will never get in, because NAS-IP 10.0.0.1 will always match BlackHoleCore, never the others.( It's ok?? Or I'm wrong or may I have to change something to get/force/allow multiple target??) A problem I found,I'm a newby in radius, is that I'm not able to choose between the diferent vlans, as radius always try to match first value of multivaluated attributes (radiusTunnelGroupId). I'm wrong again? Freeradius send the ACK-OK to the NAS-switch with the target Vlan for this device. If the sent vlan is not extended to that switch-NAS there fails silently( @ least seems so in Extreme networks), so the device is not connected. I was trying to use the checkval module, but I don't know it's the way it was thinked off. As far as I undertand I can not use it, maybe I'm wrong again. There's any elegant way to do it? Is that aproach, try the next vlan if exists @ ldap, possible, how? Many Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+Ldap:Allow the same host in multiple vlans
Ramon Escriba wrote: Is that aproach, try the next vlan if exists @ ldap, possible, how? You've tried a lot of different things and are lost in the complexity of the solution. The problem isn't that hard. Find a key which determines which VLAN to use. This key can be switch IP, location, etc. Then, use that key to select the correct VLAN. What you're doing right now is trying to grab *all* VLANs, and then filter out the ones which aren't relevant. That's more complicated, and is less likely to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius+Ldap:Allow the same host in multiple vlans
Hi Alan, Well, touche. We're also trying to use the ldap db to store dhcp info, so using the same structure to keep all host related data, radius+dhcp+dns. The problem is we've a big number of vlans, and multiple devices may connect in some vlans. I'll try to simplify, I shall keep thinking on it. By the way, in some of the cases the switch-ip, even switch+port, is the key, so huntgroups does the job but only partially. This works (original huntgroups example): #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1 But not this: #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1-7 Why? It's normal?? If this feature work, it'll keep things a bit more simple. I'm missing something,isn't it? Thanks for your fast answer. -Original Message- From: freeradius-users-bounces+escriba=cells...@lists.freeradius.org [mailto:freeradius-users-bounces+escriba=cells...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: jueves, 30 de septiembre de 2010 9:34 To: FreeRadius users mailing list Subject: Re: Radius+Ldap:Allow the same host in multiple vlans Ramon Escriba wrote: Is that aproach, try the next vlan if exists @ ldap, possible, how? You've tried a lot of different things and are lost in the complexity of the solution. The problem isn't that hard. Find a key which determines which VLAN to use. This key can be switch IP, location, etc. Then, use that key to select the correct VLAN. What you're doing right now is trying to grab *all* VLANs, and then filter out the ones which aren't relevant. That's more complicated, and is less likely to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+Ldap:Allow the same host in multiple vlans
Ramon Escriba wrote: By the way, in some of the cases the switch-ip, even switch+port, is the key, so huntgroups does the job but only partially. This works (original huntgroups example): #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1 But not this: #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1-7 Why? NAS-Port-Id is a string, not an integer. NAS-Port is an integer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius+Ldap:Allow the same host in multiple vlans
Hi Alan, Then does it possible to do a general match rule in huntgroups to lets say the 35 first ports belong to a vlan A and the rest 36 to 48 to vlan B,or not? business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1-35 IT NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 36-48 Do I have to manually insert one by one? I've +2000 ports active, I hope do not have to ;-) I did a little change in huntgroups to check that: XXX NAS-IP-Address == aaa.bbb.ccc.ddd, NAS-Port == 33-50 But without success. /etc/raddb/huntgroups[77]: Parse error (check) for entry XXX: Unknown value 33-50 for attribute NAS-Port Do I need some ulang/whatever scripting to make the NAS-Port matching possible? I saw #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7 and the like in many huntgroups examples (including the freeradius hungroups file templates examples). Are they wrong? Thanks. -Original Message- From: freeradius-users-bounces+escriba=cells...@lists.freeradius.org [mailto:freeradius-users-bounces+escriba=cells...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: jueves, 30 de septiembre de 2010 15:53 To: FreeRadius users mailing list Subject: Re: Radius+Ldap:Allow the same host in multiple vlans Ramon Escriba wrote: By the way, in some of the cases the switch-ip, even switch+port, is the key, so huntgroups does the job but only partially. This works (original huntgroups example): #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1 But not this: #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1-7 Why? NAS-Port-Id is a string, not an integer. NAS-Port is an integer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+Ldap:Allow the same host in multiple vlans
On 2010/09/30 05:05 PM, Ramon Escriba wrote: Hi Alan, Then does it possible to do a general match rule in huntgroups to lets say the 35 first ports belong to a vlan A and the rest 36 to 48 to vlan B,or not? It sounds like you need some custom logic. Have you looked at rlm_perl? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html