Active Directory authenticated VPN
Pisch Tamás
pischta at gmail.com
Mon Apr 26 08:58:46 CEST 2021
> > winbind_username = "%{mschap:User-Name}"
> > winbind_domain = "%{mschap:NT-Domain}"
> >
> > in mschap, but how I can filter users?
>
> Use LDAP group checking. The "winbind" feature just does
> authentication. It doesn't do anything else.
>
I tried to implement this:
https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
Do I need multiple items in the authenticate and the authorize section?
Wouldn't be enough mschap for authentication (and I set winbind_username
and winbind_domain in it), and ldap for authorization?
>
> See the LDAP-Group documentation for how to use LDAP groups.
Where can I find it?
> In recent versions of the server, there are even pointers to this in
> mods-available/ldap
>
I found a group section in the ldap module, but I would need help for that.
How can I filter for vpnusers group?
I tried to filter according to this:
http://lists.freeradius.org/pipermail/freeradius-users/2016-December/085979.html
group-authorization {
if (&LDAP-Group[*] ==
"cn=vpnusers,cn=Users,dc=ad,dc=ourdomain,dc=hu") {
ok
}
else {
reject
}
}
Now, I get error message, when I try to start the freeradius server:
/etc/freeradius/3.0/mods-enabled/eap[14]: Failed to find 'Auth-Type EAP'
section. Cannot authenticate users.
/etc/freeradius/3.0/mods-enabled/eap[14]: Instantiation failed for module
"eap"
Before I made my last changes, it didn't complain about eap. Eap is not
listed in my default server file. I removed it from the mods-enabled dir
(but later I'm going to set up eduroam, and it will need EAP).
I linked ldap into the mods-enabled. Now I get this error message:
rlm_ldap (ldap): Bind with cn=vpn,dc=ad,dc=ourdomain,dc=hu to
ldap://localhost:389 failed: Strong(er) authentication required
rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
I started to create certificate, but when I run make, it misses password.mk
file. I don't have it. How it looks like/how can I generate it?
Regards,
Tamas.
More information about the Freeradius-Users
mailing list