mpd+freeradius+AD

Егоров Сергей admin at i-on.ru
Mon Jun 26 13:04:25 CEST 2006 

Thanks for reply. 

>You can use one of the three firewalls avaliable in the base system(ipfw, >ipf and pf), however mpd comes with a small dictionary  that uses ipfw(8) >and you can easily define some filter bound to an interface (bound to a >username) via a radius reply attribute, let filter be a pipe(for bandwidth >control) or a packet filtering expression.

That's fine for filtering vpn users access to local net. But how could I assign specific IP for specific user in AD?

> Your questions don't clearly tell where your problem is.
>Active Directory? mpd? or FreeRADIUS? You should define
>them better in order to get help from the list. 

My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003 can do 1 and 2 in my questions, so I have to realize how to setup this in mpd + freeradius. I already authenticate users from AD group: 

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
                  --username=%{Stripped-User-Name:-%{User-Name:-None}} 
                  --challenge=%{mschap:Challenge:-00} 
                  --nt-response=%{mschap:NT-Response:-00} 
                  --require-membership-of=EXAMPLE+VPN_Allowed".

But I have several vpn groups and need to setup timeouts on each one. Also I need to I assign specific IP for specific user in AD. Looks like FreeRadius should respond for this. 


-----Original Message-----
From: Nikos Vassiliadis [mailto:nvass at teledomenet.gr] 
Sent: Monday, June 26, 2006 2:22 PM
To: freeradius-users at lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD

On Monday 26 June 2006 09:55, Егоров Сергей wrote:
> Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users
> authenticating from Active Directory, if they are members of specific
> group. But I still have some questions:
>
> 1.	How to make a different timeouts for different groups in AD
> 2.	How to appoint special IP for special users
> 3.	How to restrict users to access only to defined IP in my network

You can use one of the three firewalls avaliable in the base system(ipfw, ipf
and pf), however mpd comes with a small dictionary  that uses ipfw(8) and you
can easily define some filter bound to an interface (bound to a username) via a
radius reply attribute, let filter be a pipe(for bandwidth control) or a packet
filtering expression. So, if you want different rules for different usernames
ipfw is the sensible packet filter to use.

You can find the radius section of mpd, here:
http://www.bretterklieber.com/mpd/doc4/mpd28.html

Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.

HTH a bit, Nikos

More information about the Freeradius-Users mailing list