[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Ldap Huntgroup 'Reject' issue
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2020-11-26 14:52:57
Message-ID: E4A49074-B209-4C7E-8032-25FC9421943D () deployingradius ! com
[Download RAW message or body]

On Nov 25, 2020, at 11:20 PM, Kaya Saman via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:
> Many thanks Alan for the great guidance! :-)

  You're welcome.  Despite rumours to the contrary, I do help people.

> As per your instructions I created an Attribute in the dictionary file called \
> 'Ldap-Locality'. I swapped all the cases of 'Huntgroup-Name' out and replaced them \
> with 'Ldap-Locality'. Everything worked fine though the initial issue persists.

  OK.

> Currently I am converting the authorize file entries to unlang. I have a few quick \
> questions: 
> 1. Do I need to add the unlang checks to both 'default' and 'inner-tunnel' files?

  It depends what you want to do...

  Generally for 802.1X, the *real* user name isn't visible in the "default" server, \
but only in the "inner-tunnel" server.  So you have to put the rules there.

  Then, see the "inner-tunnel" server, and look for "use_tunneled_reply".  You can \
copy the attributes from the inner reply to the outer one.

> 2. Will FR see more then 1 value in the LocalityName field on the ldap server once \
> the NAS entry is matched in the ldap path?

  It depends on how you configured it.  If you add more than one attribute, then yes, \
it will see more than one attribute.

> 
> 3. Currently I have added this snippet as a test in 'default':
> 
> 
> authorize {
> 
> update request {
> Ldap-Locality =...
> 
> Ldap-Locality +=...
> }
> if (Ldap-Locality == "<LocalityName_string>") {
> if (Ldap-Group == "<group path>") {
> update reply {
> NAS-Port-Type = "Wireless-802.11",
> Airespace-QOS-Level = 3
> }
> }
> }
> 
> 
> Is the 'update reply' portion correct as I am not seeing the Airespace-QOS-Level in \
> the rad response from radiusd -X output?

  Read the debug log in DETAIL.  It will print out when it runs that "authorize" \
section.  it will print out each "update" section, and each "if" section.

  DON'T just look at the final Access-Accept.  Doing so is an utter waste of time.  \
It's like driving randomly for 3 hours with your eyes closed, then opening them and \
wondering why you're not home.  You have to look at each individual bit along the way \
to see what's going on.

  The same goes for the debug output.  Read it.  ALL of it.  Go over it slowly, \
looking for configuration bits you added.  Then, see if it's doing what you think \
it's doing.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]