FreeRADIUS / Active Directory / Computer Authentication / VLAN based off of UserDN

another_netadmin

7/19/24, 6:25 PM

I am currently determining VLAN/dACL assignment based off of group membership of the computer authenticating and would like to instead switch to determining VLAN/dACL assignment based off of the OU location of the computer. I seem to be unable to acquire the UserDN. Any assistance or hints as how I can achieve this would be greatly appreciated.

How to achieve what I'd like to do using Aruba ClearPass https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=20287

I attempted the following but after debugging realized that LDAP-UserDN is empty:

if ( LDAP-UserDN =~ /(.*),OU=IRStaff,OU=Computers,DC=company,DC=net$/ ) {
                                update reply {
                                        Service-Type := "Framed"
                                        Framed-Protocol := "PPP"
                                        Tunnel-Private-Group-Id := "10"
                                        Tunnel-Type := "VLAN"
                                        Tunnel-Medium-Type := "IEEE-802"
                                }
                        }

1 + 0

freeradius

Score:1

Server

another_netadmin

7/20/24, 4:01 AM

After paying closer attention to the comments in the ldap modules (I have multiple to account for several domains). I adjusted the following in all of them:

From user_dn = "LDAP-UserDn" To user_dn = "${.:instance}-LDAP-UserDn"

After that I was able to determine a VLAN to use based on the OU the computer was in with the following in the post-auth section of a virtual server

if ( &control:companynet-ldap-LDAP-UserDn =~ /(.*),OU=IRStaff,OU=Computers,DC=company,DC=net$/ ) {
                                update reply {
                                        Service-Type := "Framed"
                                        Framed-Protocol := "PPP"
                                        Tunnel-Private-Group-Id := "10"
                                        Tunnel-Type := "VLAN"
                                        Tunnel-Medium-Type := "IEEE-802"
                                }

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: FreeRADIUS / Active Directory / Computer Authentication / VLAN based off of UserDN

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.