[RADIATOR] Dynamic VLAN assignment based on AD group membership

Johnson, Neil M neil-johnson at uiowa.edu
Thu Apr 29 11:24:46 CDT 2010 

I tried the following configuration after verifying that authentication works if I don't check for group membership.
.
.
.      
	AuthByPolicy ContinueUntilAccept
	<AuthBy LSA>
		# Specifies which Windows Domain is ALWAYS to be used to authenticate
		# users (even if they specify a different domain in their username). 
		# Empty string means the local machine only
		# Special characters are supported. Can be an Active
		# directory domain or a Windows NT domain controller 
		# domain name
		# Empty string (the default) means the local machine
		#Domain OPEN
		#Domain IOWA

		# Specifies the Windows Domain to use if the user does not
		# specify a doain domain in their username.
		# Special characters are supported. Can be an Active
		# directory domain or a Windows NT domain controller 
		# domain name
		# Empty string (the default) means the local machine
		#DefaultDomain OPEN
		DefaultDomain IOWA
		
		# You can check whether each user is the member of a windows group
		# with the Group parameter. If more than one Group is specified, then the
		# user must be a member of at least one of them. Requires Win32::NetAdmin
		# (which is installed by default with ActivePerl). If no Group
		# parameters are specified, then Group checks will not be performed.
		#Group Administrators
		#Group Domain Users
		Group ITS-WIRELESS

		# You can specify which domain controller will be used to check group
		# membership with the DomainController parameter. If no Group parameters
		# are specified, DomainController wil not be used. Defaults to
		# empty string, meaning the default controller of the host where this
		# instance of Radaitor is running.
		#DomainController zulu

		# This tells the PEAP client what types of inner EAP requests
		# we will honour
		EAPType MSCHAP-V2
	</AuthBy>

	<AuthBy LSA>
		DefaultDomain IOWA
		Group radtestgroup1
		AddToReply Tunnel-Medium-Type = 802
		AddToReply Tunnel-Private-Group-ID = 820
		AddToReply Tunnel-Type = VLAN
		EAPType MSCHAP-V2
	</AuthBy>

		<AuthBy LSA>
		DefaultDomain IOWA
		Group radtestgroup2
		AddToReply Tunnel-Medium-Type = 802
		AddToReply Tunnel-Private-Group-ID = 840
		AddToReply Tunnel-Type = VLAN
		EAPType MSCHAP-V2
	</AuthBy>

		<AuthBy LSA>
		DefaultDomain IOWA
		Group radtestgroup3
		EAPType MSCHAP-V2
	</AuthBy>

</Handler>
.
.
.

However, the following appears in the LOG files:
.
.
.
Thu Apr 29 11:00:37 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier ''
Thu Apr 29 11:00:37 2010: DEBUG:  Deleting session for anonymous, 128.255.134.59, 12289
Thu Apr 29 11:00:37 2010: DEBUG: Handling with Radius::AuthLSA: 
Thu Apr 29 11:00:37 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
Thu Apr 29 11:00:37 2010: DEBUG: Response type 26
Thu Apr 29 11:00:37 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
Thu Apr 29 11:00:37 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
Thu Apr 29 11:00:37 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
Thu Apr 29 11:00:37 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
Thu Apr 29 11:00:37 2010: DEBUG: Handling with Radius::AuthLSA: 
Thu Apr 29 11:00:37 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
Thu Apr 29 11:00:37 2010: DEBUG: Response type 26
Thu Apr 29 11:00:37 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
Thu Apr 29 11:00:38 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
Thu Apr 29 11:00:38 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
Thu Apr 29 11:00:38 2010: DEBUG: Handling with Radius::AuthLSA: 
Thu Apr 29 11:00:38 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
Thu Apr 29 11:00:38 2010: DEBUG: Response type 26
Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
Thu Apr 29 11:00:38 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
Thu Apr 29 11:00:38 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
Thu Apr 29 11:00:38 2010: DEBUG: Handling with Radius::AuthLSA: 
Thu Apr 29 11:00:38 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
Thu Apr 29 11:00:38 2010: DEBUG: Response type 26
Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
Thu Apr 29 11:00:38 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
Thu Apr 29 11:00:38 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
Thu Apr 29 11:00:38 2010: INFO: Access rejected for anonymous: EAP MSCHAP V2 failed: no such user IOWA\nmjoo
Thu Apr 29 11:00:38 2010: DEBUG: Returned PEAP tunnelled packet dump:
.
.
.

Again the same account works, if I don't check for Group Membership. I've made sure to install Win32::NetAdmin.

Thanks.

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-johnson at uiowa.edu


-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: Wednesday, April 28, 2010 6:48 PM
To: Johnson, Neil M
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Dynamic VLAN assignment based on AD group membership


Hello Neil -

There are a variety of ways of doing this, but if you only have two groups you can use two AuthBy clauses like this:


.....

	AuthByPolicy ContinueUntilAccept

	<AuthBy ....>
		.....
		Group ITS-STAFF
		AddToReply Tunnel-Private-Group-ID = ....., \
			.....
	</AuthBy>

	<AuthBy ....>
		.....
		Group ITS-STUDENTS
		AddToReply Tunnel-Private-Group-ID = ....., \
		.....
	</AuthBy>

.....


regards

Hugh
		


On 29 Apr 2010, at 02:36, Johnson, Neil M wrote:

>  
> Would anyone be willing to share their ideas on how to do Dynamic VLAN assignment based on one's member ship in an Active Directory Group using Radiator?
>  
>  I know  how return the actual Radius attributes to assign VLANS (Tunnel-Private-Group-ID, etc.).
>  
> What I'm looking for is how to define those attributes based on a user's membership in an AD group.
>  
> So for example:
>  
> User1 is in AD group "ITS-STAFF" they get assigned to one VLAN
> User2 is in AD group "ITS-STUDENTS" they get assigned to a different VLAN.
>  
> I'm assuming that I will need to use a  hook.
>  
> Thanks.
> -Neil
>  
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-johnson at uiowa.edu
>  
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list