Hi Jason Am 19.08.2019 um 08:29 schrieb WAGHORN, Jason (NHS BORDERS) via Freeradius-Users:
How does changing the auth method alter who can get on? Configure the LDAP module and insert group checks in the post-auth section as mentioned in the wiki: https://wiki.freeradius.org/modules/Rlm_ldap#group-support
If I use NTLM_AUTH/WINBIND - it's harder to restrict access to a particular AD Group ("valid user, valid credentials = accept" versus LDAP: "valid user, valid credentials, correct group entry = accept") - no?
AFAIR using ntlm_auth all you can do is provide a single the option "--require-membership-of" to the execution of "ntlm_auth = /usr/bin/ntlm_auth ..." in mods-available/mschap. However: If you need to permit more than one group or specific user attributes, overall using LDAP is just easier to do a post-auth check. This way you also clearly separate authentication from authorization which also helps during issues when you read debug logs since it will easily tell you if authentication OR authorization has caused a access-reject.
Since I've read here over the past week or so everyone simply says "use LDAP" when the question of AD group restriction is posed - I got the impression that moving to LDAP would be the way to go... Yes, for authorization it is "use LDAP". You are tied to ntlm_auth/libwbinfo in terms of authentication due to the clear-text passwords being unavailable through Active Directory.[1]
-- Mathieu [1] http://deployingradius.com/documents/configuration/active_directory.html