Hello,
I’ve encountered an issue with VLAN assignment for users authenticating via 802.1x. While the users authenticate successfully, the VLAN is not being assigned. After reviewing the Freeradius debug logs, I noticed that the Tunnel-Private-Group-Id
attribute is not included in the Reply-Message
. Further investigation revealed that the LDAP query is constructed incorrectly, using the %{User-Name}
variable, which includes the domain name and a backslash (\\), resulting in a malformed query like uid=domainname\5cusername
.
Example from the Freeradius debug log:
(25) if ("%{tolower:%{request:User-Name}}" =~ /^host\/(.*)\.domainname.example.com/) -> FALSE
(25) if (control:Auth-Type == "CSID" || (Calling-Station-Id && EAP-Message && control:Cleartext-Password)) {
(25) if (control:Auth-Type == "CSID" || (Calling-Station-Id && EAP-Message && control:Cleartext-Password)) -> FALSE
(25) if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}") {
rlm_ldap (ldap): Reserved connection (12)
(25) Performing search in "dc=domainname,dc=example,dc=com" with filter "(|(uid=domainname\5cusername)(macAddress=0C:37:96:<mask>))", scope "sub"
(25) Waiting for search result...
(25) Search returned no results
rlm_ldap (ldap): Released connection (12)
(25) EXPAND %{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}
(25) -->
(25) if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{User-Name})(macAddress=%{Calling-Station-Id}))}") -> FALSE
As a result, the query does not return any results, and the VLAN is not assigned.
Solution: I modified the Freeradius configuration /etc/freeradius/3.0/sites-enabled/default by replacing the %{User-Name}
variable with %{Stripped-User-Name}
to ensure the LDAP query is constructed correctly without the domain name and backslash:
if ("%{ldap:ldap:///dc=domainname,dc=example,dc=com?uid?sub?(|(uid=%{Stripped-User-Name})(macAddress=%{Calling-Station-Id}))}") {
After this change, RADIUS started returning the correct VLAN ID:
(10) Tunnel-Type := VLAN
(10) Tunnel-Medium-Type := IEEE-802
(10) Tunnel-Private-Group-Id := "3156"
Question: Is this a bug in UCS (a configuration or logic issue in the LDAP query), or am I missing something? Could there be any unintended side effects from replacing %{User-Name}
with %{Stripped-User-Name}
?
Thank you in advance for your assistance!