Showing results for 
Search instead for 
Did you mean: 

NAS-Port-Id authentication when using openLDAP with steel-belted radius ???

Trung, Nguyen Du
New Contributor

NAS-Port-Id authentication when using openLDAP with steel-belted radius ???

Dear all,

I have a question about NAS-Port-Id for authentication user by openLDAP and steel-belted radius server.

In openLDAP schema, I has defined a radiusNASPortId attribute. I want to use NAS-Port-ID as a check-list for authentincation user.

I has configuration ldapauth.aut header file for authentication with Ldap.

in [attribute/ name] always include radiusNASPortId attribute for lookup in openLDAP attribute.

in [Response] I has configured NAS-Port-Id = radiusNASPortId for mapping radius NAS-Port-Id to LDAP radiusNASPortId attribute.

But when I test with account from ldap, the authentincation successful in case the radius request packet not include NAS-port-ID attribute. the radius server not check NAS-Port-ID attribute from radius request packet, only check username and password. So I want radius check username, password and NAS-Port-ID for succsesfull authentication User.

Anyone can help me or provide for me a method how to do that.

Thanks very much,


Frequent Contributor

Re: NAS-Port-Id authentication when using openLDAP with steel-belted radius ???

If you want to verify the user's NAS-PORT-ID, you must use this in the FILTER of the LDAP search. Simply adding it to the ATTRIBUTES and RESPONSE secions only tells SBR to RETURN the value in the LDAP database to the RADIUS attribute. It does not tell SBR to use it as a checklist attribute.

With LDAP, the only way you can get a checklist attribute to be used is to use a PROFILE. You can define the PROFILE in the SBR GUI and then add your checklist values there. In the LDAP file, you can add a [DEFAULT] section and put something like myProfile=PROFILENAME (whatever you defined in the GUI.

Then, in the [RESPONSE] section, you add %Profile=myProfile.

This will tie the profile to a successfully authenticated user. That profile's checklist will be evaluated. If they pass the checklist, they will authenticate.

Hope that helps