dynamic VLAN assignment w/ mschapv2 against AD and LDAP

schilling schilling2006 at gmail.com
Thu Jan 20 17:57:06 CET 2011 

Hi All,

The group helped me configure the freeradius server to do mschapv2
against ldap w/ ntPassword if user sign on with username at foo.edu, and
to do mschapv2 against AD w/ ntlm if user just sign on with username.
Now I want to go one more step further - passing on some attributes
back to NAS. Basically, I want to achieve
If (ldap authorization) {
    if (ldap.employeeStatus = facstaff) {
        REPLY{'Service-Type'}            = "Framed-User";
        REPLY{'Tunnel-Type'}             = "VLAN";
        REPLY{'Tunnel-Medium-Type'}      = "IEEE-802";
        REPLY{'Tunnel-Private-Group-Id'} = "facstaff";
    } else { # no ldap.employeeStatus attribute or ldap.employeeStatus
!= facstaff
        REPLY{'Service-Type'}            = "Framed-User";
        REPLY{'Tunnel-Type'}             = "VLAN";
        REPLY{'Tunnel-Medium-Type'}      = "IEEE-802";
        REPLY{'Tunnel-Private-Group-Id'} = "student";
    }
}else { # ntlm authentication
    REPLY{'Service-Type'}            = "Framed-User";
    REPLY{'Tunnel-Type'}             = "VLAN";
    REPLY{'Tunnel-Medium-Type'}      = "IEEE-802";
    REPLY{'Tunnel-Private-Group-Id'} = "facstaff";
}

What's the easiest way to accomplish this? unlang? perl module? Where to start?

Thanks,

Schilling

from	schilling <schilling2006 at gmail.com>
to	FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
date	Tue, Dec 14, 2010 at 3:14 PM
subject	Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth,
the other one against ldap ntpasswd hash possible?
mailed-by	gmail.com

Got the whole setup working. So basically if users sign on with
username at foo.edu with eap, they will be sent to ldap w/ ntpassword
authorization. If users sign on with username only with eap, they will
be sent to active directory w/ ntlm authentication.
configuration changes are the following:
etc/raddb/proxy.conf add
   realm foo.edu {
   }
   realm NULL {
   }
/etc/raddb/site-enabled/inner-tunnel at the ldap line in authorize section add
   switch "%{Realm}" {
       case foo.edu {
           ldap
           #see /etc/raddb/module/mschap if ntpassword available,
then do not use
           #NTLM_auth
           update control {
               MS-CHAP-Use-NTLM-Auth := NO
           }
       case NULL {
           mschap
       }
   }

etc/raddb/module/mschap, etc/raddb/module/ntlm are all from integrate
with Active Directory howto.

More information about the Freeradius-Users mailing list