Authentication via ntlm_auth with check the user group

Сергей Усов usows at pomorsu.ru
Wed Dec 7 10:11:45 CET 2011


Hi

I try to configure authentication via ntlm_auth to check the user group. 
All authentication attempts are rejected

The same configuration without checking groups is working correctly

policy.conf:

extract_ssid {
          if(Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i){
                  update request {
                          Called-Station-SSID := "%{7}"
                  }
                  if (Called-Station-SSID == localnet1) {
                          update request{
                                  AD-Group := WiFisec
                          }
                  }
                  else {
                          update request{
                                  AD-Group := WiFi-public
                          }

                  }

          }
          else {
                  noop
          }
}

modules/mschap
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00} 
--require-membership-of=POMORSU+%{AD-Group}"

sites-enabed/default
authorize {
          preprocess
          extract_ssid

freeradius 2.1.10+dfsg-2 debian squeeze





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4108 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111207/b1bb4069/attachment.bin>


More information about the Freeradius-Users mailing list