At 05:57 PM 11/25/2009, Rick Steeves wrote:
I have the cisco configured per that guide already . However, I don't want to put user / password info in the users file, because that would defeat part of the model of centralized authentication to AD. So I want that to feed authentication back to radius > AD as well.
Perhaps my question is how to integrate Per User Privilege Level You can also send the privilege level (enable mode is level 15) for individual users as a reply item to automatically put them into that level with cisco-avpair = "shell:priv-lvl=15" You can do this with an entry in your users file similar to the following youruser Cleartext-Password := "somepass" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" into the AD part, instead of into the users file? I had planned to just use AD security groups .... rick
Rick
freeradius@corwyn.net wrote:
Perhaps my question is how to integrate
Per User Privilege Level
You can also send the privilege level (enable mode is level 15) for individual users as a reply item to automatically put them into that level with cisco-avpair = "shell:priv-lvl=15"
You can do this with an entry in your users file similar to the following
youruser Cleartext-Password := "somepass" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"
into the AD part, instead of into the users file? I had planned to just use AD security groups .... Configure AD as ldap server in ldap module (.raddb/modules/ldap). Then add to users file:
DEFAULT Ldap-Group == "max_priv_level" or whatever is your group called Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" Ivan Kalik
At 06:24 PM 11/25/2009, you wrote:
Configure AD as ldap server in ldap module (.raddb/modules/ldap). Then add to users file:
DEFAULT Ldap-Group == "max_priv_level" or whatever is your group called Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"
Excellent. Thank you. Rick PS Noticed earlier that if I put a space in front of DEFAULT the behaviour changes. quirky. PPS I noticed in the guide for radiusd.conf it suggests: exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" } yet I think it should be (an extra ntlm_auth?) exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" }
At 05:58 PM 11/29/2009, tnt@kalik.net wrote:
Hmm, is there supposed to be a ldap module by default? Because I don't have that.
Yes, in 2.x.
Nope. Brand new clean install of the RPM freeradius2-libs-2.1.7-2.el5 freeradius2-2.1.7-2.el5 freeradius2-utils-2.1.7-2.el5 at least does not include ./raddb/modules/ldap Rick
At 06:26 PM 11/29/2009, freeradius@corwyn.net wrote:
at least does not include ./raddb/modules/ldap
Default startup even gives: Module: Checking authenticate {...} for more modules to load /etc/raddb/sites-enabled/default[287]: Failed to find module "eap". /etc/raddb/sites-enabled/default[234]: Errors parsing authenticate section.
At 05:58 PM 11/29/2009, tnt@kalik.net wrote:
Hmm, is there supposed to be a ldap module by default? Because I don't have that.
Yes, in 2.x.
Nope. Brand new clean install of the RPM freeradius2-libs-2.1.7-2.el5 freeradius2-2.1.7-2.el5 freeradius2-utils-2.1.7-2.el5
Ah, you need to install freeradius2-ldap then. Ivan Kalik
Ah, you need to install freeradius2-ldap then.
Yeah, that would do it. OK, so since I have two different groups I'm trying to authenticate, given previous advice, I'm going to need to copy the ldap module to, say, ldap_a and ldap_b, and then in each copied module make a change from ldap {..} to ldap ldap_a {..} and ldap ldap_b {..} respectively? (and then the appropriate changes in my respective virtual servers?) rick
participants (3)
-
freeradius@corwyn.net -
Ivan Kalik -
tnt@kalik.net