Discussion:
MAC auth with LDAP
(too old to reply)
Victor Cenac
2018-11-16 22:13:46 UTC
Permalink
Hello everyone, I promise I red the docs and examples, but either they
refer to older versions of FreeRADIUS or don't match my scenario. Maybe
there are assumptions that I am not aware of.

I have a Juniper network where we assign devices to vlans based on their
MAC. The MACS are stored in an LDAP with the MAC as username and password.
The group membership is what distinguishes the vlan needed.

I managed to configure the ldap and enable the ldap module. FreeRADIUS
starts fine with it. I also added all the switches as clients.

I need help figuring out:
1. Where do I tell FreeRADIUS to look for users in ldap (vs the users file)?
2. Where do I match the group in ldap with the vlan number that needs to be
sent to the client (switch)? For example, for group Staff value is 10 (vlan
10).

Thank you in advance for your help!

Victor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/use
Alan DeKok
2018-11-16 22:58:39 UTC
Permalink
Post by Victor Cenac
I have a Juniper network where we assign devices to vlans based on their
MAC. The MACS are stored in an LDAP with the MAC as username and password.
The group membership is what distinguishes the vlan needed.
That should be simple enough,
Post by Victor Cenac
I managed to configure the ldap and enable the ldap module. FreeRADIUS
starts fine with it. I also added all the switches as clients.
OK.
Post by Victor Cenac
1. Where do I tell FreeRADIUS to look for users in ldap (vs the users file)?
raddb/sites-enabled/default

Look for "ldap". And, raddb/mods-available/ldap

See also http://wiki.freeradius.org/. Search for "ldap". It has lots of documentations.
Post by Victor Cenac
2. Where do I match the group in ldap with the vlan number that needs to be
sent to the client (switch)? For example, for group Staff value is 10 (vlan
10).
You don't map LDAP names directly to VLANs. They might be "sales", and you can't use "sales" as a VLAN number.

Instead, do this:

if (LDAP-Group == "staff") {
update reply {
Tunnel Type = VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := 10
}
}

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://

Loading...