[RADIATOR] Dynamic VLAN assignment based on AD group membership
Johnson, Neil M
neil-johnson at uiowa.edu
Mon May 3 09:14:44 CDT 2010
Users are stored in Active Directory Groups. Do I need to include the domain name in the group name ?
i.e. IOWA\radtestgroup1
Thanks.
-Neil
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-johnson at uiowa.edu
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Thursday, April 29, 2010 9:18 PM
To: Johnson, Neil M
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Dynamic VLAN assignment based on AD group membership
Hello Neil -
Can you tell me how your users are stored in the Group definitions?
Radiator is looking for "IOWA\nmjoo".
> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
regards
Hugh
On 30 Apr 2010, at 02:24, Johnson, Neil M wrote:
> I tried the following configuration after verifying that authentication works if I don't check for group membership.
> .
> .
> .
> AuthByPolicy ContinueUntilAccept
> <AuthBy LSA>
> # Specifies which Windows Domain is ALWAYS to be used to authenticate
> # users (even if they specify a different domain in their username).
> # Empty string means the local machine only
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> #Domain OPEN
> #Domain IOWA
>
> # Specifies the Windows Domain to use if the user does not
> # specify a doain domain in their username.
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> #DefaultDomain OPEN
> DefaultDomain IOWA
>
> # You can check whether each user is the member of a windows group
> # with the Group parameter. If more than one Group is specified, then the
> # user must be a member of at least one of them. Requires Win32::NetAdmin
> # (which is installed by default with ActivePerl). If no Group
> # parameters are specified, then Group checks will not be performed.
> #Group Administrators
> #Group Domain Users
> Group ITS-WIRELESS
>
> # You can specify which domain controller will be used to check group
> # membership with the DomainController parameter. If no Group parameters
> # are specified, DomainController wil not be used. Defaults to
> # empty string, meaning the default controller of the host where this
> # instance of Radaitor is running.
> #DomainController zulu
>
> # This tells the PEAP client what types of inner EAP requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
>
> <AuthBy LSA>
> DefaultDomain IOWA
> Group radtestgroup1
> AddToReply Tunnel-Medium-Type = 802
> AddToReply Tunnel-Private-Group-ID = 820
> AddToReply Tunnel-Type = VLAN
> EAPType MSCHAP-V2
> </AuthBy>
>
> <AuthBy LSA>
> DefaultDomain IOWA
> Group radtestgroup2
> AddToReply Tunnel-Medium-Type = 802
> AddToReply Tunnel-Private-Group-ID = 840
> AddToReply Tunnel-Type = VLAN
> EAPType MSCHAP-V2
> </AuthBy>
>
> <AuthBy LSA>
> DefaultDomain IOWA
> Group radtestgroup3
> EAPType MSCHAP-V2
> </AuthBy>
>
> </Handler>
> .
> .
> .
>
> However, the following appears in the LOG files:
> .
> .
> .
> Thu Apr 29 11:00:37 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier ''
> Thu Apr 29 11:00:37 2010: DEBUG: Deleting session for anonymous, 128.255.134.59, 12289
> Thu Apr 29 11:00:37 2010: DEBUG: Handling with Radius::AuthLSA:
> Thu Apr 29 11:00:37 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
> Thu Apr 29 11:00:37 2010: DEBUG: Response type 26
> Thu Apr 29 11:00:37 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
> Thu Apr 29 11:00:37 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
> Thu Apr 29 11:00:37 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
> Thu Apr 29 11:00:37 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
> Thu Apr 29 11:00:37 2010: DEBUG: Handling with Radius::AuthLSA:
> Thu Apr 29 11:00:37 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
> Thu Apr 29 11:00:37 2010: DEBUG: Response type 26
> Thu Apr 29 11:00:37 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
> Thu Apr 29 11:00:38 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
> Thu Apr 29 11:00:38 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
> Thu Apr 29 11:00:38 2010: DEBUG: Handling with Radius::AuthLSA:
> Thu Apr 29 11:00:38 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
> Thu Apr 29 11:00:38 2010: DEBUG: Response type 26
> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
> Thu Apr 29 11:00:38 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
> Thu Apr 29 11:00:38 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
> Thu Apr 29 11:00:38 2010: DEBUG: Handling with Radius::AuthLSA:
> Thu Apr 29 11:00:38 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
> Thu Apr 29 11:00:38 2010: DEBUG: Response type 26
> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
> Thu Apr 29 11:00:38 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
> Thu Apr 29 11:00:38 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
> Thu Apr 29 11:00:38 2010: INFO: Access rejected for anonymous: EAP MSCHAP V2 failed: no such user IOWA\nmjoo
> Thu Apr 29 11:00:38 2010: DEBUG: Returned PEAP tunnelled packet dump:
> .
> .
> .
>
> Again the same account works, if I don't check for Group Membership. I've made sure to install Win32::NetAdmin.
>
> Thanks.
>
> -Neil
>
>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-johnson at uiowa.edu
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Wednesday, April 28, 2010 6:48 PM
> To: Johnson, Neil M
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Dynamic VLAN assignment based on AD group membership
>
>
> Hello Neil -
>
> There are a variety of ways of doing this, but if you only have two groups you can use two AuthBy clauses like this:
>
>
> .....
>
> AuthByPolicy ContinueUntilAccept
>
> <AuthBy ....>
> .....
> Group ITS-STAFF
> AddToReply Tunnel-Private-Group-ID = ....., \
> .....
> </AuthBy>
>
> <AuthBy ....>
> .....
> Group ITS-STUDENTS
> AddToReply Tunnel-Private-Group-ID = ....., \
> .....
> </AuthBy>
>
> .....
>
>
> regards
>
> Hugh
>
>
>
> On 29 Apr 2010, at 02:36, Johnson, Neil M wrote:
>
>>
>> Would anyone be willing to share their ideas on how to do Dynamic VLAN assignment based on one's member ship in an Active Directory Group using Radiator?
>>
>> I know how return the actual Radius attributes to assign VLANS (Tunnel-Private-Group-ID, etc.).
>>
>> What I'm looking for is how to define those attributes based on a user's membership in an AD group.
>>
>> So for example:
>>
>> User1 is in AD group "ITS-STAFF" they get assigned to one VLAN
>> User2 is in AD group "ITS-STUDENTS" they get assigned to a different VLAN.
>>
>> I'm assuming that I will need to use a hook.
>>
>> Thanks.
>> -Neil
>>
>> --
>> Neil Johnson
>> Network Engineer
>> Information Technology Services
>> The University of Iowa
>> Work: 319 384-0938
>> Mobile: 319 540-2081
>> Fax: 319 355-2618
>> E-mail: neil-johnson at uiowa.edu
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list