Re: AD Group Check - multi SSID - Pass "Require-membership-of" to NTLM_AUTH as variable.
Hi, Could someone give me some "ways to go" with LDAP module? Online tutos ? that goes from A to Z ? What about "FreeRadius" flow.... difference between default, inner-tunnel? Authentication and authorization? :shy: Thanks in advance Have a nice day 2017-01-30 10:39 GMT+01:00 <A.L.M.Buxey@lboro.ac.uk>:
Hi,
So, for exemple, SSID-Corp-Employee is only accessible to a certain users, member of ADgroupA , and SSID-Corp-Direction, only accessible to users, member of ADgroupB
When only authenticating with 1 single AD group, there is no problem, the :
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --require-membership-of=GALAXY\rad01 --username=%{%{Stripped-User- Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re sponse}:-00}"
dont do that. leave authentication alone and use authorization
so, use simple LDAP check to verify if someone can connect - this scales because you match the SSID to the LDAP group..so , configure the LDAP module so it can query your LDAP (which is AD) for the users group and then
if ( ldap_stuff_here != &Called-Station-SSID) { reject }
LDAP stuff can either be an LDAP-Group call or a %{ldap:} call. basically, get value from LDAP and check against that supplied in the RADIUS request
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jan 31, 2017, at 1:40 PM, Pierre de Jong <pierredejong@gmail.com> wrote:
Could someone give me some "ways to go" with LDAP module? Online tutos ? that goes from A to Z ?
See http://wiki.freeradius.org. Do a search for "ldap".
What about "FreeRadius" flow.... difference between default, inner-tunnel? Authentication and authorization?
The wiki contains a lot of information. There's also some documentation available on my company's site: http://networkradius.com/freeradius-documentation/ The "FreeRADIUS technical guide" contains a detailed introduction to the server and how it works. Alan DeKok.
participants (2)
-
Alan DeKok -
Pierre de Jong