Freeradius - how to reply "memberof" active directory information for Strongswan

Sébastien Genesta genesta.sebastien at gmail.com
Tue Sep 24 20:34:46 CEST 2019


Hi,

I'm using Freeradius for the Active Directory authentication of my
Strongswan clients.

My goal is to declare 2 vpn connections with different virtual IP leases,
allowing me to separate traffic (as an example, one vpn connection for
sales and the other for technicians).

To do it, I'm trying to use Group selection option (rightgroups) on
Strongswan.

According to Strongswan documentation (
https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) I have to
use class attribute on my freeradius server to return the group membership.

The issue is that I don't know how.

I'm using mschap for authentication to Active Directory.

*My current configuration:*

*/etc/freeradius/3.0/mods-available/mschap*

with_ntdomain_hack = yes
require_encryption = yes
require_strong = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"


*/etc/freeradius/3.0/mods-enabled/eap*

eap {
[...]
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no

*/etc/freeradius/3.0/clients.conf*

client localhost {
ipaddr = 127.0.0.1
proto = *
secret = <radius-secret>
require_message_authenticator = no
nas_type         = other
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
 }
}

# IPv6 Client
#client localhost_ipv6 {
#       ipv6addr        = ::1
#       secret          = testing123
#}

I've tried to follow this post but it didn't work
http://freeradius.1045715.n5.nabble.com/Return-User-Groups-in-Class-field-td5752289.html


More precisaly below part (replacing ldap module by mschap module and also
changing path because my freeradius version is 3.0):

*1) Added a mapping in ldap mod.*

# /etc/raddb/mods-enabled/ldap
ldap {
...
  update {
     ...
     reply:memberOf                  += 'memberOf'
  }
...
}

*2) Added an Attribute reference*

# /etc/raddb/dictionary
ATTRIBUTE memberOf                3001    string

*3) Added a update reply*

# /etc/raddb/sites-enabled/default
post-auth {
...
        foreach &reply:memberOf {
            update reply {
                Class += "%{Foreach-Variable-0}"
            }
        }
...
}

I also tried to set below information (according to
http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html
)

  post-auth {
...
            update reply {
                Class += %{Group}
            }
        }
...
}

I've searched accross the Internet but didn't find a way to do it
properly.

Is there any official guide explaning how to reply memberOf attribute?
How can I do it?

Thanks for your help


<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Garanti
sans virus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#m_-4546190989838674270_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>


More information about the Freeradius-Users mailing list