authenticating question

Garber, Neal Neal.Garber at energyeast.com
Wed Oct 25 19:18:20 CEST 2006


> Ok, Well that might be what I'm looking for. How do you get 
> Radius to check for username,password and vlan/ssid? 

Well, as you might expect, that depends upon what data store
you plan to go against (unix passwd file, freeradius users file,
LDAP, etc.)  You mentioned LDAP last time so I'll give you some
pointers on that.  

We use LDAP for authorization and ntlm_auth via
PEAP/MS-CHAP-V2 for authentication of 802.11 users.  We require
authentication via the AP to associate as opposed to using 
"open" on the AP with a Web-based portal.  To configure
LDAP authorization, look in ldap.attrmap.  Within this file,
you'll see checkItem entries within.  These entries
define what LDAP attribute to look for and the radius attribute
to which it should be mapped.  In our case, we check for membership
in a specific AD group, based upon the SSID to which they are
connecting.  So, I have a checkItem for the "memberOf" LDAP
attribute and I map it to Ldap-Group.  The LDAP module will create
a Ldap-Group check attribute for each AD group to which the user 
is a member (other than their primary group).  Then, I have a perl
script that determines the required group and checks for membership
(by looking in the %RAD_CHECK{'Ldap-group'} variable - it will be
an array if the user is a member of more than 1 group).  It then 
returns RLM_REJECT if they aren't a member of a required group.
You could also use attr_rewrite, probably with a regular expression,
to create a custom Group-Requirement attribute based upon the 
SSID/VLAN information in the request.  Then, you could
use the checkval module to do the testing.  (I used perl
because it is much more flexible and because I like perl :-).)

> Can you do a quick cut/paste job of what I need to place 
> in my conf files? 

Not unless you can articulate your specific requirements.  If you
need more info. than the above, state more specifically
what you're trying to do (what LDAP attribute and what values).
Or, if you're not using LDAP, what are you using?

> Also what AP's are you using that allow you to get them to send the
> ssid/vlan to Radius? 

Cisco 1232.  You can get it to send the SSID via:

dot11 location ... (will send WISPr-Location-ID as a request 
attribute with the SSID contained within the string)

or

radius-server vsa send authentication (will send cisco-AVPair
as a request attribute with ssid=xxxx within the string)

By the way, it is generally preferred to send all messages to
the mailing list.  In this way, you can take advantage of
everyone's experience.





More information about the Freeradius-Users mailing list