Can't figure out Group Authentication

Julson, Jim jjulson at MARKETRON.COM
Sat Jun 23 15:43:46 CEST 2012 

Alan, 

That was about the most clear and concise description of the process I've found/heard to date.  Thank you for taking the time to educate me.  I will attempt to get this going today.  I think I have everything that I need at this point.  

Have a good one. 

-----Original Message-----
From: freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Saturday, June 23, 2012 6:22 AM
To: FreeRadius users mailing list
Subject: Re: Can't figure out Group Authentication

Julson, Jim wrote:
> Now, I then setup my Cisco router accordingly, and then did an SSH 
> test to it using my AD Account.  Voila!  It worked great.  _*/However, 
> so did every other "Domain User" account in the environment.  /*_ This 
> goes back to me being so new to RADIUS and Linux where I don't feel 
> like I'm fully grasping all of the directives within the configuration 
> files, and exactly how they all tie together.

  Honestly, I don't remember much of that, either.  When I configure the server, I usually go back and read the comments *I wrote* to figure out what to do.

  But for your issue, you told the server to "use AD to authenticate all users".  So that's what it did.

> *So, how do I lock down the SSH Authentication to an Active Directory 
> Group of users, or individual users? * Remember, go easy on me.  I'll 
> provide whatever you need to help.  I'm assuming you will ask for my 
> RADIUSD -X output, so I've attached that as well.

1) configure AD as an LDAP server.  See raddb/modules/ldap

2) add "ldap" to the "instantiate" section of radiusd.conf
   There are references to "ldap" in "authorize" and "authentication"
   You won't need those.

3) Do group checking with LDAP-Group == "group name"

  See the FAQ for examples of rejecting users with a particular group.
The FAQ uses "Group", which is "Unix group from /etc/passwd".  Just use LDAP-Group instead.

> NOTE:  One thing I don't understand is how in Alan DeKok's write up from
> the link above, he says don't use the "DEFAULT    Auth-Type = ntlm_auth"
> in the "/etc/raddb/users" file, but yet that's one of the final steps 
> to test in the write-up.

  It's an intermediate step.  It's necessary only when you're forcing authentication back-ends.

>  Maybe it's because I am so new, but I've been through that document 
> probably 30 times line by line, and yet every time I remove that 
> entry, it breaks the Authentication.

  Yes.  The server needs to now HOW to authenticate the users.  The incoming RADIUS packet contains what KIND of authentication method.
PAP, CHAP, MS-CHAP, etc.  So the server has no choice there.

  But where does it get the passwords from?  Normally this is a DB.  But AD isn't a DB (for various reasons).  Instead, the "Auth-Type = ntlm_auth" reformats and *proxies* the authentication over the Samba protocol, using the ntlm_auth program.

  i.e. it hands off the MSCHAP stuff to ntlm_auth, and asks "is this correct?"

  If the server has passwords from a DB, it can just authenticate the user directly.  If it doesn't have a password for that user, it has to hand off the authentication to someone else.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information contained in this e-mail message may be confidential and
protected from disclosure.  If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.

More information about the Freeradius-Users mailing list