Can't figure out Group Authentication

Julson, Jim jjulson at MARKETRON.COM
Wed Jun 27 06:49:13 CEST 2012


I appreciate the configuration and the help.

Unfortunately the syntax will be a little different for the LDAP module since I'm querying a Microsoft Active Directory and not an OpenLDAP Server.  The filters, access attributes and other various settings are completely different from what Microsoft passes in their LDAP Attributes.

Again, thank you for the input though.  If anyone else has what they use for their Filters, I'd absolutely appreciate a working reference from /etc/raddb/modules/ldap .  I think that's my one main problem.

Thanks!

From: freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org] On Behalf Of dhanushka ranasinghe
Sent: Tuesday, June 26, 2012 9:51 PM
To: FreeRadius users mailing list
Subject: Re: Can't figure out Group Authentication

Hi...

i able to get the openldap group authentication + PAP  with radius  , i used the following settings ,

in users file ,

DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=openldap,dc=ihk,dc=com"
Reply-Message = "You are Accepted"

DEFAULT Auth-Type := Reject


and in  /etc/freeradius/moduls/ldap

        server = "ldap.ihx.com<http://ldap.ihx.com>"
        identity = "cn=admin,dc=openldap,dc=ihx,dc=com"
        password = abc
        basedn = "dc=openldap,dc=ihx,dc=com"
        filter = "(mail=%{Stripped-User-Name:-%{User-Name}})"
        access_attr = "mail"
        authtype = ldap



and uncomment the following lines in the /etc/freeradius/modules/ldap

 groupname_attribute
 groupmembership_filter
 groupmembership_attribute

hope this helps,


Thank You
On 26 June 2012 20:44, Julson, Jim <jjulson at marketron.com<mailto:jjulson at marketron.com>> wrote:
Forgive my ignorance, but the variable that you are suggesting I use would be something that I had to create locally on my RADIUS servers right?  The idea is that we use our central point of management which in our case is Active Directory.  We have hundreds of servers ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes.  So managing groups on a "per radius server" basis isn't really a good choice from a management perspective.  Using the Active Directory domain, we can have our admins move folks in and out of groups as necessary.

Did I understand your suggestion right?  Or is that variable "--require-membership-of=" something that can help me achieve what I want to do?  I thought I had to use LDAP for Group Authorization...

-----Original Message-----
From: freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org<mailto:marketron.com at lists.freeradius.org> [mailto:freeradius-users-bounces+jjulson<mailto:freeradius-users-bounces%2Bjjulson>=marketron.com at lists.freeradius.org<mailto:marketron.com at lists.freeradius.org>] On Behalf Of NdK
Sent: Tuesday, June 26, 2012 3:36 AM
To: freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>
Subject: Re: Can't figure out Group Authentication
Il 22/06/2012 17:32, Julson, Jim ha scritto:

> Now, the problem is this.  Following Alan DeKok's guide at http://deployingradius.com/documents/configuration/active_directory.html, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort.  There were a few things I had to go elsewhere to figure out, but I managed.  I have FreeRADIUS setup and authenticating using NTLM_AUTH.  I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users.  So the problem is this.  It's authenticating...a little too well.



Why not add a "default group" var (to be overridden for specific
clients) and pass it to ntlm_auth in "--require-membership-of="
parameter? That way you can filter who can authenticate from any NAS.
And IIUC huntgroups, you can even define groups of clients...

Please correct me if I'm wrong.

BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information contained in this e-mail message may be confidential and
protected from disclosure.  If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


The information contained in this e-mail message may be confidential and
protected from disclosure.  If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120627/96ddce53/attachment.html>


More information about the Freeradius-Users mailing list