Cisco AP 1240AG - PEAP/MSCHAPv2 with ntlm_auth
hi my situation: ive Windows 2003 Server Domaincontrollers. i use freeradius who authenticates the clients in the domain with ntlm_auth. only users they will be in the group "wireless" have access to the wireless: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=DOMAIN\\WIRELESS" my question is now: how can i realize that ive 2 ssid, one ssid=administrators, and the other ssid=users, i omit the "--require-membership-of=DOMAIN\\WIRELESS" on the ntlm authentication and make two groups in the active directory: -- wireless_admin - ssid1=adminis -- wireless_users - ssid2=users when the user is a member of admins he become the vlan and the ssid for Administrators, and when the user is a member of users he become the vlan and the ssid for Users. is that possible to configure it in the "/etc/raddb/users" like following, but without user1, instead of this a group... user1 Auth-Type := EAP Cisco-AVPair := "ssid=admins", Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP Cisco-AVPair := "ssid=users", Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN somone has experience to associate ntlm and group differentiation... and how can i do that the Admins can also login via shell, and the user only authentication no shell or something like that? thx Konne
participants (1)
-
Konne