[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Ldap Huntgroup 'Reject' issue
From: Alan DeKok <aland () deployingradius ! com>
Date: 2020-11-26 14:52:57
Message-ID: E4A49074-B209-4C7E-8032-25FC9421943D () deployingradius ! com
[Download RAW message or body]
On Nov 25, 2020, at 11:20 PM, Kaya Saman via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:
> Many thanks Alan for the great guidance! :-)
You're welcome. Despite rumours to the contrary, I do help people.
> As per your instructions I created an Attribute in the dictionary file called \
> 'Ldap-Locality'. I swapped all the cases of 'Huntgroup-Name' out and replaced them \
> with 'Ldap-Locality'. Everything worked fine though the initial issue persists.
OK.
> Currently I am converting the authorize file entries to unlang. I have a few quick \
> questions:
> 1. Do I need to add the unlang checks to both 'default' and 'inner-tunnel' files?
It depends what you want to do...
Generally for 802.1X, the *real* user name isn't visible in the "default" server, \
but only in the "inner-tunnel" server. So you have to put the rules there.
Then, see the "inner-tunnel" server, and look for "use_tunneled_reply". You can \
copy the attributes from the inner reply to the outer one.
> 2. Will FR see more then 1 value in the LocalityName field on the ldap server once \
> the NAS entry is matched in the ldap path?
It depends on how you configured it. If you add more than one attribute, then yes, \
it will see more than one attribute.
>
> 3. Currently I have added this snippet as a test in 'default':
>
>
> authorize {
>
> update request {
> Ldap-Locality =...
>
> Ldap-Locality +=...
> }
> if (Ldap-Locality == "<LocalityName_string>") {
> if (Ldap-Group == "<group path>") {
> update reply {
> NAS-Port-Type = "Wireless-802.11",
> Airespace-QOS-Level = 3
> }
> }
> }
>
>
> Is the 'update reply' portion correct as I am not seeing the Airespace-QOS-Level in \
> the rad response from radiusd -X output?
Read the debug log in DETAIL. It will print out when it runs that "authorize" \
section. it will print out each "update" section, and each "if" section.
DON'T just look at the final Access-Accept. Doing so is an utter waste of time. \
It's like driving randomly for 3 hours with your eyes closed, then opening them and \
wondering why you're not home. You have to look at each individual bit along the way \
to see what's going on.
The same goes for the debug output. Read it. ALL of it. Go over it slowly, \
looking for configuration bits you added. Then, see if it's doing what you think \
it's doing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic