Google Workspace Secure LDAP Group Based VLAN Assignment using FreeRADIUS
Understanding LDAP Groups for VLAN Assignment
To apply policy based on LDAP groups, we first need their exact name and syntax. One way of getting that is through FreeRADIUS debug (using freeradius -X) as the user is being authenticated. Consider the following partial debug output:
(30) ldap: User object found at DN "uid=student,ou=12,ou=Students,ou=Users,dc=example,dc=com"
(30) ldap: Adding cacheable user object memberships
(30) ldap: &control:LDAP-Group += "cn=2023,ou=Groups,dc=example,dc=com"
(30) ldap: &control:LDAP-Group += "cn=group4virtual,ou=Groups,dc=example,dc=com"
(30) ldap: &control:LDAP-Group += "cn=students,ou=Groups,dc=example,dc=com"
The last line shows that the user belongs to the students group. Suppose we want every user in the students group to be assigned to VLAN 10. Here is the process for it.
1. Create LDAP Group Check Policy
- Create a policy for checking LDAP membership:
nano /etc/freeradius/3.0/policy.d/ldap_groupcheck
- Add the following contents to the file. The RADIUS attribute
Tunnel-Private-Group-IDspecifies the VLAN ID that should be applied to any member of the students group.
ldap_groupcheck {
if (&LDAP-Group[*] == "cn=students,ou=Groups,dc=example,dc=com") {
update reply {
&Tunnel-Type := 13
&Tunnel-Medium-Type := 6
&Tunnel-Private-Group-ID := 10
}
}
}
- Save and exit.
2. Apply Policy to Virtual Server
- Edit the default virtual server:
nano /etc/freeradius/3.0/sites-enabled/default
- In the
authorizesection, afterldap, add this:
ldap_groupcheck
- Additionally, at the start of the
authorizesection, add this directive:
preprocess
- Save and exit.
3. Update Configuration Files
Update EAP Module
- Open the EAP module:
nano /etc/freeradius/3.0/mods-enabled/eap
- In the
ttlssection, modify the following:
copy_request_to_tunnel = yes
- Save and exit.
Update LDAP Module
- Open the LDAP module:
nano /etc/freeradius/3.0/mods-enabled/ldap
- In the
groupsection, modify the following:
cacheable_dn = 'yes'
- Save and exit.
4. Restart FreeRADIUS Service
- Restart the FreeRADIUS service to apply changes:
systemctl restart freeradius.service
5. Rules for Multiple Groups
The ldap_groupcheck code above can be extended to multiple groups and VLANs. For example, for students, teachers, and admin groups assigned to VLANs 10, 20, and 30 respectively:
ldap_groupcheck {
if (&LDAP-Group[*] == "cn=students,ou=Groups,dc=example,dc=com") {
update reply {
&Tunnel-Type := 13
&Tunnel-Medium-Type := 6
&Tunnel-Private-Group-ID := 10
}
}
elsif (&LDAP-Group[*] == "cn=teachers,ou=Groups,dc=example,dc=com") {
update reply {
&Tunnel-Type := 13
&Tunnel-Medium-Type := 6
&Tunnel-Private-Group-ID := 20
}
}
elsif (&LDAP-Group[*] == "cn=admin,ou=Groups,dc=example,dc=com") {
update reply {
&Tunnel-Type := 13
&Tunnel-Medium-Type := 6
&Tunnel-Private-Group-ID := 30
}
}
}
Assigning VLAN for Users in Multiple Groups
If a user is part of multiple groups, such as teachers and admin, and we want to assign them a specific VLAN, we can create a rule for such cases:
ldap_groupcheck {
if (&LDAP-Group[*] == "cn=teachers,ou=Groups,dc=example,dc=com" && &LDAP-Group[*] == "cn=admin,ou=Groups,dc=example,dc=com") {
update reply {
&Tunnel-Type := 13
&Tunnel-Medium-Type := 6
&Tunnel-Private-Group-ID := 20
}
}
}
Processing Order of Rules
- Rules are parsed from top to bottom.
- If a user matches a rule, subsequent rules are ignored.
By following this guide, you can effectively assign VLANs based on Google Workspace Secure LDAP group membership using FreeRADIUS.