Highlighted
dlietz Absent Member.
Absent Member.
2876 views

freeradius attributes from eDirectory

I'm trying to configure Dynamic VLAN's on a Ruckus ZD3000 using FreeRadius 2.1.1-7.12.1 running on a SLES 11 sp1/OES11 box. I currently have 802.11 authentication using EAP configured and working. The Zone directory requires the following attributes to be able to set the VLAN dynamically: Tunnel-Type = VLAN Tunnel-Medium-Type = 802 Tunnel-Private-Group-ID = I find that if I put this in the users file: DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 86, Fall-Through=Yes dynamic vlans work perfectly, I can change the number and the vlan for the client will change. What I want to be able to do is have the freeradius server read this info from edirectory and pass it on to the ZD3000 and according to the Novell document "Integrating Novell eDirectory with FreeRADIUS Administration Guide" the matching eDirectory attribute is 'radius Tunnel Private Group Id'. I'm unclear on where or how to configure the freeradius to look at that attribute to get the value for 'Tunnel-Private-Group-ID'. Any assistance is greatly appreciated. Dan
Labels (2)
0 Likes
7 Replies
dlietz Absent Member.
Absent Member.

Attempt to Format for readability

I'm trying to configure Dynamic VLAN's on a Ruckus ZD3000 using FreeRadius 2.1.1-7.12.1 running on a SLES 11 sp1/OES11 box. I currently have 802.11 authentication using EAP configured and working. The Zone directory requires the following attributes to be able to set the VLAN dynamically:

Tunnel-Type = VLAN
Tunnel-Medium-Type = 802
Tunnel-Private-Group-ID = 'id'

I find that if I put this in the users file:
DEFAULT
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 802,
Tunnel-Private-Group-ID = 88,
Fall-Through=Yes

dynamic vlans work perfectly, I can change the number (88) and the vlan for the client will change. What I want to be able to do is have the freeradius server read this info from edirectory and pass it on to the ZD3000 and according to the Novell document "Integrating Novell eDirectory with FreeRADIUS Administration Guide" the matching eDirectory attribute is 'radius Tunnel Private Group Id'.

I'm unclear on where or how to configure the freeradius to look at that attribute to get the value for 'Tunnel-Private-Group-ID'.

Any assistance is greatly appreciated.

Dan
0 Likes
peterkuo Absent Member.
Absent Member.

Re: Attempt to Format for readability

So what you need is an (LDAP) attribute mapping of 'radius Tunnel Private Group Id' to 'Tunnel-Private-Group-ID.'

-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
gleach1 Absent Member.
Absent Member.

Re: freeradius attributes from eDirectory

you might need to edit the ldap group settings for each ldap group in your tree and match the required attribute up or even create it

I'm thinking the procedure might be similar to this TID https://www.novell.com/support/kb/doc.php?id=7003050

But obviously you'd be dealing with differetn attributes - it might help you out and you may just need to match up the attributes with what is required

0 Likes
dlietz Absent Member.
Absent Member.

Re: Attempt to Format for readability

I don't think it's an attribute definition issue because I can use the radius plugin for imanager and view/edit the attribute I need on the radius user. In iMangaer, the attribute is listed as 'Tunnel Private GroupId', I just need the radius server to read the info that is already there.

Thanks for the input guys.
0 Likes
dlietz Absent Member.
Absent Member.

Re: freeradius attributes from eDirectory

I was able to get some guidance on this and the problem was in my ldap.attr file. I just needed to add the map for Tunnel-Private-Group-ID and that got it working. Now I just need to figure out a way to modify dialupAccess and Tunnel-Private-Group-ID attributes in bulk as it doesn't look like I can do it via iManager or C1

Dan
0 Likes
gleach1 Absent Member.
Absent Member.

Re: freeradius attributes from eDirectory

to do this in bulk you'll likely need to use an ldif modify command against all the accounts that need whatever attributes set, imanager and consoleone seem to only be able to do this 1 user at a time (reliably at least anyway...)

0 Likes
peterkuo Absent Member.
Absent Member.

Re: freeradius attributes from eDirectory

You *should* be able to do that with iMan or C1 by selecting the multiple users. However, another "quick" way be be to try the Attributes Gadget (Be a Gadgeteer! - Get your LDAP Gadgets from DreamLAN.com) where you can batch modify an attribute without having to write the LDIF file.

-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.