Can't figure out Group Authentication
NdK
ndk.clanbo at gmail.com
Wed Jun 27 12:40:17 CEST 2012
Il 26/06/2012 17:14, Julson, Jim ha scritto:
> Forgive my ignorance, but the variable that you are suggesting I use
> would be something that I had to create locally on my RADIUS servers
> right? The idea is that we use our central point of management which
> in our case is Active Directory.
You have to define a local variable to hold the group name (or the group
SID, but while making auth faster it makes management harder). Then
assign to it a value based on where you receive your request from (a
switch, a "public" server, a "private" server, a VPN endpoint...) and
pass it to ntlm_auth in -require-membership-of option.
If the user trying to access is not in that group, he's denied access
(ntlm_auth checks group membership in AD).
> We have hundreds of servers
> ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes.
> So managing groups on a "per radius server" basis isn't really a
> good choice from a management perspective. Using the Active
> Directory domain, we can have our admins move folks in and out
> of groups as necessary.
That's exactly what AD is for. But I usually join the PCs to it so I can
have better integration (one for all: AD groups gets mapped to Unix groups).
> Did I understand your suggestion right?
I don't think so.
> Or is that variable "--require-membership-of="
That's not a variable, that's a parameter for ntlm_auth.
> something that can help me achieve what I want to do?
It restrict access to members of that group. IIUC that's what you need.
> I thought I had to use LDAP for Group Authorization...
You don't need to. At least not for such a basic thing.
To be more clear (not actually tested):
1) add "ATTRIBUTE Require-Group 3000 string" to dictionary
2) add "DEFAULT Require-Group := 'default-ad-group'" to users
3) change ntlm_auth line in modules/mschap to include
"--require-membership-of=%{Require-Group}"
Now restart FR and it should accept only users in 'default-ad-group'.
If it's OK. now you have to find "some way" to differentiate the NAS (or
NAS group) from where the user is requesting access and use unlang to
change Require-Group value as needed.
BYtE,
Diego.
More information about the Freeradius-Users
mailing list