Group verification with Multiple SSID

Chitrang Srivastava chitrang.srivastava at gmail.com
Mon Oct 1 14:28:21 CEST 2012


Hi,

I have a use case where I have 2 SSID and 2 databases of users , one
locally configured users in a group and other set of users on a LDAP server.

SSID 1 - > Local group of users on radius server
SSID 2 ->  Set of user configured in LDAP
Authentication : PEAP- MSCHAPv2

I have modified mschap module to do ntlm_auth for SSID2 and use default
mschap module for SSID 1, So now I have 2 mschap module in my radiusd.conf
and uses unland to place if-elsif condition in authroize and authenticate
block.

Above setup is  working fine.

But I also need to verify ldap group ( i.e. user belongs to group or not) ,
Issues is , for SSID 1 users , radiusd is trying to do a group comparison
on ldap server , which eventually fails. I guess the reason for this we
have 1 users file and for each user radiusd refers that ,  Their should be
way for radiusd to know which user file to refer for each SSID.

To solve the issues I have create 2 users file
users - > for LDAP users group policy
users_local -> for local users

create 2 modules  like this:
            *files_local* {
                usersfile = ${confdir}/*users_local*       *----> Above
created file*
                acctusersfile = ${confdir}/acct_users
                compat = no
        }
and modified *authroize* block

if (Wlan == "local") {
*                files_local                                 *
        }
        elsif (Wlan == "ldap") {
                redundant {
                        ldap_primary
                        ldap_secondary
                }
        }
        else {
                *files_local*
        }

It seems to be working , Just wanted to check with experts here , is this
is the way to go ?
or their is some other simpler way ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121001/58d75e74/attachment-0001.html>


More information about the Freeradius-Users mailing list