Categories
Firewall LDAP Linux Network radius Ubuntu VLAN

freeradius on OPNsense: Use VLAN based on LDAP group

The main challenge to do so, is to make this change permanent (as the OPNsense web frontend does not support that kind of config modification).

So here’s a short wrap up of the things required:

opnsense # cd /usr/local/opnsense/service/templates/OPNsense/Freeradius
opnsense # cp users users.custom
opnsense # mkdir +TARGETS.D
opnsense # grep users: +TARGETS | sed -e s+'^users:'+'users.custom:'+ > +TARGETS.D/users.custom.TARGET

Now edit custom.users:

opnsense # vi users.custom

<... insert the following lines ...>
DEFAULT Ldap-Group == "CN=Network-VLAN2,CN=Users,DC=mydomain,DC=de" 
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = 2

DEFAULT Ldap-Group == "CN=Network-VLAN1,CN=Users,DC=mydomain,DC=de" 
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = 1

<... but make sure to insert them *before* a possible more general DEFAULT section ...>

Rebuild the template files and restart freeradius:

opnsense # configctl template reload OPNsense/Freeradius
opnsense # service radiusd restart
Certificates generated /usr/local/etc/raddb/certs/cert_opn.pem
Certificates generated /usr/local/etc/raddb/certs/ca_opn.pem
Certificates generated /usr/local/etc/raddb/certs/cert_ldap.pem
Stopping radiusd.
Waiting for PIDS: 11699.
Starting radiusd.

And the tests results look like this:

linux # radtest user_in_vlan_group1 user_password  opnsense.mydomain.de 1 shared_radius_client_secret
Sent Access-Request Id 97 from 0.0.0.0:52927 to 192.168.1.1:1812 length 76
	User-Name = "user_in_vlan_group1"
	User-Password = "user_password"
	NAS-IP-Address = 192.168.1.154
	NAS-Port = 1
	Message-Authenticator = 0x00
	Cleartext-Password = "user_password"
Received Access-Accept Id 97 from 192.168.1.1:1812 to 192.168.1.154:52927 length 53
	Message-Authenticator = 0x70ed158027c63bf6d6af68d284bc7904
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"
linux # radtest user_in_no_vlan_group user_password opnsense.mydomain.de 1 shared_radius_client_secret
Sent Access-Request Id 198 from 0.0.0.0:41598 to 192.168.1.1:1812 length 76
	User-Name = "user_in_no_vlan_group"
	User-Password = "user_password"
	NAS-IP-Address = 192.168.1.154
	NAS-Port = 1
	Message-Authenticator = 0x00
	Cleartext-Password = "user_password"
Received Access-Accept Id 198 from 192.168.1.1:1812 to 192.168.1.154:41598 length 59
	Message-Authenticator = 0xcfe2004f3ff063789ee668b73427449b
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "3"
	Framed-Protocol = PPP

In my case VLAN 3 is used for undefined VLAN user membership.

Leave a Reply

Your email address will not be published. Required fields are marked *