Forgive my ignorance, but the variable that you are suggesting I use would be something that I had to create locally on my RADIUS servers right? The idea is that we use our central point of management which in our case is Active Directory. We have hundreds of servers ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes. So managing groups on a "per radius server" basis isn't really a good choice from a management perspective. Using the Active Directory domain, we can have our admins move folks in and out of groups as necessary. Did I understand your suggestion right? Or is that variable "--require-membership-of=" something that can help me achieve what I want to do? I thought I had to use LDAP for Group Authorization... -----Original Message----- From: freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org] On Behalf Of NdK Sent: Tuesday, June 26, 2012 3:36 AM To: freeradius-users@lists.freeradius.org Subject: Re: Can't figure out Group Authentication Il 22/06/2012 17:32, Julson, Jim ha scritto:
Now, the problem is this. Following Alan DeKok's guide at http://deployingradius.com/documents/configuration/active_directory.html, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this. It's authenticating...a little too well.
Why not add a "default group" var (to be overridden for specific clients) and pass it to ntlm_auth in "--require-membership-of=" parameter? That way you can filter who can authenticate from any NAS. And IIUC huntgroups, you can even define groups of clients... Please correct me if I'm wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system.