[RADIATOR] Dynamic VLAN assignment based on AD group membership

Hugh Irvine hugh at open.com.au
Fri May 7 16:13:07 CDT 2010


Hello Neil -

Yes - see section 5.51 in the Radiator 4.6 reference manual ("doc/ref.pdf").

regards

Hugh


On 8 May 2010, at 01:12, Johnson, Neil M wrote:

> 
> Hugh,
> 
> Does Radiator need to run on a Domain Controller so that <Authby LSA> and groups work ?
> 
> Thanks.
> 
> -Neil
> 
> -- 
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-johnson at uiowa.edu
> 
> 
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Johnson, Neil M
> Sent: Tuesday, May 04, 2010 9:10 AM
> To: Hugh Irvine
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Dynamic VLAN assignment based on AD group membership
> 
> 
> Hugh,
> 
> I am still getting the same error message. I've attached my configuration file and full trace for reference.
> 
> -Neil
> 
> -- 
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-johnson at uiowa.edu
> 
> 
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au] 
> Sent: Monday, May 03, 2010 5:56 PM
> To: Johnson, Neil M
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Dynamic VLAN assignment based on AD group membership
> 
> 
> Hello Neil -
> 
> No - you should use "EAPAnonymous %0" in your outer Handler so the inner username is set to just the username without the prefix.
> 
> And you should also use "AuthByPolicy ContinueUntilAcceptOrChallenge" in the inner Handler.
> 
> regards
> 
> Hugh
> 
> 
> On 4 May 2010, at 00:14, Johnson, Neil M wrote:
> 
>> Users are stored in Active Directory Groups. Do I need to include the domain name in the group name ?
>> 
>> i.e. IOWA\radtestgroup1
>> 
>> Thanks.
>> -Neil
>> 
>> 
>> -- 
>> Neil Johnson
>> Network Engineer
>> Information Technology Services
>> The University of Iowa
>> Work: 319 384-0938
>> Mobile: 319 540-2081
>> Fax: 319 355-2618
>> E-mail: neil-johnson at uiowa.edu
>> 
>> 
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au] 
>> Sent: Thursday, April 29, 2010 9:18 PM
>> To: Johnson, Neil M
>> Cc: radiator at open.com.au
>> Subject: Re: [RADIATOR] Dynamic VLAN assignment based on AD group membership
>> 
>> 
>> Hello Neil -
>> 
>> Can you tell me how your users are stored in the Group definitions?
>> 
>> Radiator is looking for "IOWA\nmjoo".
>> 
>>> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
>> 
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 30 Apr 2010, at 02:24, Johnson, Neil M wrote:
>> 
>>> I tried the following configuration after verifying that authentication works if I don't check for group membership.
>>> .
>>> .
>>> .      
>>> 	AuthByPolicy ContinueUntilAccept
>>> 	<AuthBy LSA>
>>> 		# Specifies which Windows Domain is ALWAYS to be used to authenticate
>>> 		# users (even if they specify a different domain in their username). 
>>> 		# Empty string means the local machine only
>>> 		# Special characters are supported. Can be an Active
>>> 		# directory domain or a Windows NT domain controller 
>>> 		# domain name
>>> 		# Empty string (the default) means the local machine
>>> 		#Domain OPEN
>>> 		#Domain IOWA
>>> 
>>> 		# Specifies the Windows Domain to use if the user does not
>>> 		# specify a doain domain in their username.
>>> 		# Special characters are supported. Can be an Active
>>> 		# directory domain or a Windows NT domain controller 
>>> 		# domain name
>>> 		# Empty string (the default) means the local machine
>>> 		#DefaultDomain OPEN
>>> 		DefaultDomain IOWA
>>> 		
>>> 		# You can check whether each user is the member of a windows group
>>> 		# with the Group parameter. If more than one Group is specified, then the
>>> 		# user must be a member of at least one of them. Requires Win32::NetAdmin
>>> 		# (which is installed by default with ActivePerl). If no Group
>>> 		# parameters are specified, then Group checks will not be performed.
>>> 		#Group Administrators
>>> 		#Group Domain Users
>>> 		Group ITS-WIRELESS
>>> 
>>> 		# You can specify which domain controller will be used to check group
>>> 		# membership with the DomainController parameter. If no Group parameters
>>> 		# are specified, DomainController wil not be used. Defaults to
>>> 		# empty string, meaning the default controller of the host where this
>>> 		# instance of Radaitor is running.
>>> 		#DomainController zulu
>>> 
>>> 		# This tells the PEAP client what types of inner EAP requests
>>> 		# we will honour
>>> 		EAPType MSCHAP-V2
>>> 	</AuthBy>
>>> 
>>> 	<AuthBy LSA>
>>> 		DefaultDomain IOWA
>>> 		Group radtestgroup1
>>> 		AddToReply Tunnel-Medium-Type = 802
>>> 		AddToReply Tunnel-Private-Group-ID = 820
>>> 		AddToReply Tunnel-Type = VLAN
>>> 		EAPType MSCHAP-V2
>>> 	</AuthBy>
>>> 
>>> 		<AuthBy LSA>
>>> 		DefaultDomain IOWA
>>> 		Group radtestgroup2
>>> 		AddToReply Tunnel-Medium-Type = 802
>>> 		AddToReply Tunnel-Private-Group-ID = 840
>>> 		AddToReply Tunnel-Type = VLAN
>>> 		EAPType MSCHAP-V2
>>> 	</AuthBy>
>>> 
>>> 		<AuthBy LSA>
>>> 		DefaultDomain IOWA
>>> 		Group radtestgroup3
>>> 		EAPType MSCHAP-V2
>>> 	</AuthBy>
>>> 
>>> </Handler>
>>> .
>>> .
>>> .
>>> 
>>> However, the following appears in the LOG files:
>>> .
>>> .
>>> .
>>> Thu Apr 29 11:00:37 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier ''
>>> Thu Apr 29 11:00:37 2010: DEBUG:  Deleting session for anonymous, 128.255.134.59, 12289
>>> Thu Apr 29 11:00:37 2010: DEBUG: Handling with Radius::AuthLSA: 
>>> Thu Apr 29 11:00:37 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
>>> Thu Apr 29 11:00:37 2010: DEBUG: Response type 26
>>> Thu Apr 29 11:00:37 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
>>> Thu Apr 29 11:00:37 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
>>> Thu Apr 29 11:00:37 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
>>> Thu Apr 29 11:00:37 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
>>> Thu Apr 29 11:00:37 2010: DEBUG: Handling with Radius::AuthLSA: 
>>> Thu Apr 29 11:00:37 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
>>> Thu Apr 29 11:00:37 2010: DEBUG: Response type 26
>>> Thu Apr 29 11:00:37 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
>>> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
>>> Thu Apr 29 11:00:38 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
>>> Thu Apr 29 11:00:38 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
>>> Thu Apr 29 11:00:38 2010: DEBUG: Handling with Radius::AuthLSA: 
>>> Thu Apr 29 11:00:38 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
>>> Thu Apr 29 11:00:38 2010: DEBUG: Response type 26
>>> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
>>> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
>>> Thu Apr 29 11:00:38 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
>>> Thu Apr 29 11:00:38 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
>>> Thu Apr 29 11:00:38 2010: DEBUG: Handling with Radius::AuthLSA: 
>>> Thu Apr 29 11:00:38 2010: DEBUG: Handling with EAP: code 2, 7, 65, 26
>>> Thu Apr 29 11:00:38 2010: DEBUG: Response type 26
>>> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA looks for match with IOWA\nmjoo [anonymous]
>>> Thu Apr 29 11:00:38 2010: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: IOWA\nmjoo [anonymous]
>>> Thu Apr 29 11:00:38 2010: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
>>> Thu Apr 29 11:00:38 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP V2 failed: no such user IOWA\nmjoo
>>> Thu Apr 29 11:00:38 2010: INFO: Access rejected for anonymous: EAP MSCHAP V2 failed: no such user IOWA\nmjoo
>>> Thu Apr 29 11:00:38 2010: DEBUG: Returned PEAP tunnelled packet dump:
>>> .
>>> .
>>> .
>>> 
>>> Again the same account works, if I don't check for Group Membership. I've made sure to install Win32::NetAdmin.
>>> 
>>> Thanks.
>>> 
>>> -Neil
>>> 
>>> 
>>> -- 
>>> Neil Johnson
>>> Network Engineer
>>> Information Technology Services
>>> The University of Iowa
>>> Work: 319 384-0938
>>> Mobile: 319 540-2081
>>> Fax: 319 355-2618
>>> E-mail: neil-johnson at uiowa.edu
>>> 
>>> 
>>> -----Original Message-----
>>> From: Hugh Irvine [mailto:hugh at open.com.au] 
>>> Sent: Wednesday, April 28, 2010 6:48 PM
>>> To: Johnson, Neil M
>>> Cc: radiator at open.com.au
>>> Subject: Re: [RADIATOR] Dynamic VLAN assignment based on AD group membership
>>> 
>>> 
>>> Hello Neil -
>>> 
>>> There are a variety of ways of doing this, but if you only have two groups you can use two AuthBy clauses like this:
>>> 
>>> 
>>> .....
>>> 
>>> 	AuthByPolicy ContinueUntilAccept
>>> 
>>> 	<AuthBy ....>
>>> 		.....
>>> 		Group ITS-STAFF
>>> 		AddToReply Tunnel-Private-Group-ID = ....., \
>>> 			.....
>>> 	</AuthBy>
>>> 
>>> 	<AuthBy ....>
>>> 		.....
>>> 		Group ITS-STUDENTS
>>> 		AddToReply Tunnel-Private-Group-ID = ....., \
>>> 		.....
>>> 	</AuthBy>
>>> 
>>> .....
>>> 
>>> 
>>> regards
>>> 
>>> Hugh
>>> 		
>>> 
>>> 
>>> On 29 Apr 2010, at 02:36, Johnson, Neil M wrote:
>>> 
>>>> 
>>>> Would anyone be willing to share their ideas on how to do Dynamic VLAN assignment based on one's member ship in an Active Directory Group using Radiator?
>>>> 
>>>> I know  how return the actual Radius attributes to assign VLANS (Tunnel-Private-Group-ID, etc.).
>>>> 
>>>> What I'm looking for is how to define those attributes based on a user's membership in an AD group.
>>>> 
>>>> So for example:
>>>> 
>>>> User1 is in AD group "ITS-STAFF" they get assigned to one VLAN
>>>> User2 is in AD group "ITS-STUDENTS" they get assigned to a different VLAN.
>>>> 
>>>> I'm assuming that I will need to use a  hook.
>>>> 
>>>> Thanks.
>>>> -Neil
>>>> 
>>>> --
>>>> Neil Johnson
>>>> Network Engineer
>>>> Information Technology Services
>>>> The University of Iowa
>>>> Work: 319 384-0938
>>>> Mobile: 319 540-2081
>>>> Fax: 319 355-2618
>>>> E-mail: neil-johnson at uiowa.edu
>>>> 
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>> 
>>> 
>>> 
>>> NB: 
>>> 
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets), 
>>> together with a trace 4 debug showing what is happening?
>>> 
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> NB: 
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets), 
>> together with a trace 4 debug showing what is happening?
>> 
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> 
>> 
>> 
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list