<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I appreciate the configuration and the help.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Unfortunately the syntax will be a little different for the LDAP module since I’m querying a Microsoft Active Directory and not an OpenLDAP Server. The filters,
access attributes and other various settings are completely different from what Microsoft passes in their LDAP Attributes.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Again, thank you for the input though. If anyone else has what they use for their Filters, I’d absolutely appreciate a working reference from /etc/raddb/modules/ldap
. I think that’s my one main problem.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org]
<b>On Behalf Of </b>dhanushka ranasinghe<br>
<b>Sent:</b> Tuesday, June 26, 2012 9:51 PM<br>
<b>To:</b> FreeRadius users mailing list<br>
<b>Subject:</b> Re: Can't figure out Group Authentication<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi...<br>
<br>
i able to get the openldap group authentication + PAP with radius , i used the following settings ,<br>
<br>
in users file ,<br>
<br>
DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=openldap,dc=ihk,dc=com"<br>
Reply-Message = "You are Accepted"<br>
<br>
DEFAULT Auth-Type := Reject<br>
<br>
<br>
and in /etc/freeradius/moduls/ldap <br>
<br>
server = "<a href="http://ldap.ihx.com">ldap.ihx.com</a>"<br>
identity = "cn=admin,dc=openldap,dc=ihx,dc=com"<br>
password = abc<br>
basedn = "dc=openldap,dc=ihx,dc=com"<br>
filter = "(mail=%{Stripped-User-Name:-%{User-Name}})"<br>
access_attr = "mail"<br>
authtype = ldap<br>
<br>
<br>
<br>
and uncomment the following lines in the /etc/freeradius/modules/ldap <br>
<br>
groupname_attribute<br>
groupmembership_filter<br>
groupmembership_attribute <br>
<br>
hope this helps,<br>
<br>
<br>
Thank You<o:p></o:p></p>
<div>
<p class="MsoNormal">On 26 June 2012 20:44, Julson, Jim <<a href="mailto:jjulson@marketron.com" target="_blank">jjulson@marketron.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">Forgive my ignorance, but the variable that you are suggesting I use would be something that I had to create locally on my RADIUS servers right? The idea is that we use our central point of management which in our case is Active Directory.
We have hundreds of servers ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes. So managing groups on a "per radius server" basis isn't really a good choice from a management perspective. Using the Active Directory domain, we can have our admins
move folks in and out of groups as necessary.<br>
<br>
Did I understand your suggestion right? Or is that variable "--require-membership-of=" something that can help me achieve what I want to do? I thought I had to use LDAP for Group Authorization...<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
-----Original Message-----<br>
From: freeradius-users-bounces+jjulson=<a href="mailto:marketron.com@lists.freeradius.org">marketron.com@lists.freeradius.org</a> [mailto:<a href="mailto:freeradius-users-bounces%2Bjjulson">freeradius-users-bounces+jjulson</a>=<a href="mailto:marketron.com@lists.freeradius.org">marketron.com@lists.freeradius.org</a>]
On Behalf Of NdK<br>
Sent: Tuesday, June 26, 2012 3:36 AM<br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: Re: Can't figure out Group Authentication<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Il 22/06/2012 17:32, Julson, Jim ha scritto:<br>
<br>
> Now, the problem is this. Following Alan DeKok's guide at <a href="http://deployingradius.com/documents/configuration/active_directory.html" target="_blank">
http://deployingradius.com/documents/configuration/active_directory.html</a>, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS
setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this.
It's authenticating...a little too well.<br>
<br>
<br>
<br>
Why not add a "default group" var (to be overridden for specific<br>
clients) and pass it to ntlm_auth in "--require-membership-of="<br>
parameter? That way you can filter who can authenticate from any NAS.<br>
And IIUC huntgroups, you can even define groups of clients...<br>
<br>
Please correct me if I'm wrong.<br>
<br>
BYtE,<br>
Diego.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">
http://www.freeradius.org/list/users.html</a><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">The information contained in this e-mail message may be confidential and<br>
protected from disclosure. If you are not the intended recipient, any<br>
dissemination, distribution or copying is strictly prohibited. If you<br>
think that you have received this e-mail message in error, please notify<br>
the sender immediately by replying to this message and then delete it<br>
from your system.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">
http://www.freeradius.org/list/users.html</a><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
<pre>The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.