Discussion:
Use update control for VLAN with ntlm_auth
Torsten Wilms
2015-10-14 16:50:20 UTC
Permalink
Hello @all


I use free radius version 3.0.10 and the ntlm_auth for authenticate users via 802.1x over the AD
Now i wan’t to setup switches with dynamic VLAN configuration.

I tried to use in the authorize section unter default and inner-tunnel

mschap
if ( ok ) {
update control {
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 8
}
}


But no effect.

Also i tried to use

authenticate {
ntlm_auth
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
if ( ok ) {
update control {
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 8
}

}
}


But it doesn’t work.

How can i use update control if ntlm_auth was successful?


Thanks a lot

Torsten


-
List info/subscribe/unsubscr
Alan DeKok
2015-10-14 16:58:25 UTC
Permalink
Post by Torsten Wilms
I use free radius version 3.0.10 and the ntlm_auth for authenticate users via 802.1x over the AD
Now i wan’t to setup switches with dynamic VLAN configuration.
That should be simple.
Post by Torsten Wilms
I tried to use in the authorize section unter default and inner-tunnel
mschap
if ( ok ) {
That's wrong. Don't check for "ok". If authentication succeeds, the attributes will be sent back. If authentication fails, an empty Access-Reject will be sent back.
Post by Torsten Wilms
update control {
That's wrong. You want to send the attributes in the reply. See "man unlang" for documentation.
Post by Torsten Wilms
But no effect.
Because it's wrong.
Post by Torsten Wilms
Also i tried to use
...
That's wrong, too.
Post by Torsten Wilms
How can i use update control if ntlm_auth was successful?
You don't. You just update the reply.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http
Torsten Wilms
2015-10-14 17:26:20 UTC
Permalink
Hey Alan,

Thanks for your answer.

How can i do that. Can you give me a little example?

Thanks a lot

Torsten
Post by Alan DeKok
Post by Torsten Wilms
I use free radius version 3.0.10 and the ntlm_auth for authenticate users via 802.1x over the AD
Now i wan’t to setup switches with dynamic VLAN configuration.
That should be simple.
Post by Torsten Wilms
I tried to use in the authorize section unter default and inner-tunnel
mschap
if ( ok ) {
That's wrong. Don't check for "ok". If authentication succeeds, the attributes will be sent back. If authentication fails, an empty Access-Reject will be sent back.
Post by Torsten Wilms
update control {
That's wrong. You want to send the attributes in the reply. See "man unlang" for documentation.
Post by Torsten Wilms
But no effect.
Because it's wrong.
Post by Torsten Wilms
Also i tried to use
...
That's wrong, too.
Post by Torsten Wilms
How can i use update control if ntlm_auth was successful?
You don't. You just update the reply.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscrib
Alan DeKok
2015-10-14 17:29:27 UTC
Permalink
Post by Torsten Wilms
How can i do that. Can you give me a little example?
Of what? Using "update reply" ?

There are dozens of examples in the default configuration files, and lots of documentation. See "man unlang", or http://networkradius.com/doc/current/unlang/keywords.html

Alan DeKok.


-
List info/subscribe/unsubscribe? See http:/
A***@lboro.ac.uk
2015-10-14 18:40:21 UTC
Permalink
Hi,
Post by Torsten Wilms
I use free radius version 3.0.10 and the ntlm_auth for authenticate users via 802.1x over the AD
Now i wan’t to setup switches with dynamic VLAN configuration.
I tried to use in the authorize section unter default and inner-tunnel
mschap
if ( ok ) {
update control {
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 8
}
}
NOT control. control is for the FreeRADIUS server (to CONTROL it), you need
to follow the docs and examples and update the reply instead. you'll also need
to check with your vendor about what attributes and values to return..
eg you may need

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 8

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
Scott Armitage
2015-10-14 19:06:09 UTC
Permalink
Post by Torsten Wilms
I use free radius version 3.0.10 and the ntlm_auth for authenticate users via 802.1x over the AD
Now i wan’t to setup switches with dynamic VLAN configuration.
I tried to use in the authorize section unter default and inner-tunnel
How can i use update control if ntlm_auth was successful?
This kind of work is done in post-auth. In your inner tunnel add something like:


post-auth {

update reply {
Tunnel-Private-Group-ID := 8
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Session-Timeout = 28800
Termination-Action = RADIUS-Request
}



regards

Scott Armitage
Torsten Wilms
2015-10-14 21:13:07 UTC
Permalink
Ok. That’s clear now.

But what happened, if you have different Rules?

For example: ntlm_auth, send reply with vlan id 8. For VoIP Devices send reply with vlan id 16 and so on

I think in this case we need to work with perl, because the VoIP Devices are stored in a Database

Or is it wrong?

Thanks a lot

Torsten
Post by Scott Armitage
Post by Torsten Wilms
I use free radius version 3.0.10 and the ntlm_auth for authenticate users via 802.1x over the AD
Now i wan’t to setup switches with dynamic VLAN configuration.
I tried to use in the authorize section unter default and inner-tunnel
How can i use update control if ntlm_auth was successful?
post-auth {
update reply {
Tunnel-Private-Group-ID := 8
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Session-Timeout = 28800
Termination-Action = RADIUS-Request
}
regards
Scott Armitage
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http:/
A***@lboro.ac.uk
2015-10-14 21:46:07 UTC
Permalink
Hi,
Post by Torsten Wilms
But what happened, if you have different Rules?
you reply with different VLAN values! you need to decide your policies
and then write them.... how you DO policy making is down to you....but you
dont need to use PERL for various basic checks.... you say your VoIP devices
are in a database.... okay..so HOW are they in the DB? if its their MAC address
then you could do a single SQL check with unlang and if the return
valus is 1, then its in the DB and you can return a different vlan

if(){
}
else{
}

read the unlang pages and the freeradius SQL pages for how to do such constructs.

alan
-
List info/subscribe/unsub
Alan DeKok
2015-10-14 22:20:54 UTC
Permalink
Post by Torsten Wilms
But what happened, if you have different Rules?
You write down the rules as if / then / else statements?

Did I mention you should read the documentation, and the examples?

Yes? Did you do that?
Post by Torsten Wilms
For example: ntlm_auth, send reply with vlan id 8. For VoIP Devices send reply with vlan id 16 and so on
I think in this case we need to work with perl, because the VoIP Devices are stored in a Database
Or is it wrong?
You don't need perl.

You DO need to start thinking for yourself. You need to start following instructions here.

There are *dozens* of examples of rules in the server. Read them.

If you're not willing to read the examples and documentation, we're not willing to help you any more. It's as simple as that.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/l
Torsten Wilms
2015-10-15 07:11:33 UTC
Permalink
Hey Alan.

I read the documenation. But this is completely new for me. So not everything is clear for me.

Thanks a lot for your help and sorry about my questions.

Torsten
Post by Alan DeKok
Post by Torsten Wilms
But what happened, if you have different Rules?
You write down the rules as if / then / else statements?
Did I mention you should read the documentation, and the examples?
Yes? Did you do that?
Post by Torsten Wilms
For example: ntlm_auth, send reply with vlan id 8. For VoIP Devices send reply with vlan id 16 and so on
I think in this case we need to work with perl, because the VoIP Devices are stored in a Database
Or is it wrong?
You don't need perl.
You DO need to start thinking for yourself. You need to start following instructions here.
There are *dozens* of examples of rules in the server. Read them.
If you're not willing to read the examples and documentation, we're not willing to help you any more. It's as simple as that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradi

Loading...