Reputation: 35
Passing dictionary values to inner-tunnel (i.e. "Cisco-AVPair")
I'm currently having issues where i'm trying to implement the use of UDN in Meraki by passing a value via Cisco-AVPair.
This is my current users in the users file:
rick Cleartext-Password := "password1"
Cisco-AVPair = "udn:private-group-id=500"
morty Cleartext-Password := "password2"
Cisco-AVPair = "udn:private-group-id=501"
While this alone does get passed back in a response from a radtest or using RTRadPing, the attribute is not being passed over to the Meraki because the value is not making it in to the inner-tunnel. I need to be able to make sure this value is also passed in the inner-tunnel as well.
I know the issue is related to this value not making it in to the inner-tunnel because I can add this line to the post-auth section of the inner-tunnel and defaul files and it makes it pass the static value and the Meraki receives it.
update reply {
Cisco-AVPair := "udn:private-group-id=500"
}
The problem with this is that it just statically sets the UDN to 500 for every user. I need to pull in the value assigned to that user and push it to the Meraki.
I have tried these in the post-auth section of my "/etc/freeradius/3.0/sites-enabled/inner-tunnel" file but none of them seem to work.
if (&session-state:Cisco-AVPair) {
update reply {
Cisco-AVPair := &session-state:Cisco-AVPair
}
}
if (&request:Cisco-AVPair) {
update reply {
Cisco-AVPair := &request:Cisco-AVPair
}
}
I also tried some other suggestions like assigning to a temporary control value under the "authorize" section, then referencing that control value in the post-auth section. I just can't seem to figure out how to pass the specific value associated with that user that is being authorized.
Any guidance would be greatly appreciated.
Upvotes: 0
Views: 75
Answers (1)
Reputation: 35
I was able to finally figure this out. I'm not certain if it's the right way to do it but it certainly worked for me.
I had to add something to the "authorize" and the "post-auth" sections of both the default file and the inner-tunnel file.
File:
/etc/freeradius/3.0/sites-enabled/default
I added this in the authorize section:
update control {
&control: += &reply:
}
I added this in the post-auth section:
update reply {
&reply: += &control:
}
File:
/etc/freeradius/3.0/sites-enabled/inner-tunnel
I added this in the authorize section:
update control {
&control: += &reply:
}
I added this in the post-auth section:
update outer.session-state {
&outer.session-state: += &control:
}
This actually works out better for me because this way i'm not just passing the Cisco-AVPair attribute, I'm passing any other attributes that I add along the way automatically. This way I don't have to go back and update these sections again. I just have to update the users and their attributes.
Upvotes: 0
Related Questions
- freeradius 3 mac auth user group (for configuration simplicity)
- FreeRadius 3.0.13 + Google Auth + SSSD + Active Directory - Filter via AD security groups
- Doing 2FA via Freeradius with our own 2FA app
- How to reference tagged attributes in conditions
- returning custom user attributes in the radius reply
- Authentication error in freeradius server
- Freeradius: Unable to display Reply-Message in EAP
- How to get User-Password in inner tunnel from iOS