Hello, I'm new to this, so please show mercy on me. I managed to get Freeradius to work with AD. I have one SSID setup at the moment on the controller. So far any user with AD credentials that log into our wireless, gets connected. My boss wants me to tweak the system a bit to separate staff from students. We have an OU for staff and another for students. The problem I have is I have no idea where in radius do I configure this option. We want to be able to tell radius that if a student logs into for example to the staff SSID they are rejected but if they log into their student SSID, access is granted. How do I make that happen? Thank very much for any help you can provide.
Hi Jose Am 28.04.2016 um 20:28 schrieb Jose via Freeradius-Users: [...]
My boss wants me to tweak the system a bit to separate staff from students. We have an OU for staff and another for students. The problem I have is I have no idea where in radius do I configure this option. We want to be able to tell radius that if a student logs into for example to the staff SSID they are rejected but if they log into their student SSID, access is granted.
How do I make that happen? Thank very much for any help you can provide. So what you (likely) do is authentication (are the credentials correct?) but no authorization (is the person allowed?).
I guess that you'll want to look into LDAP authorization. For that you'll have to setup and enable the LDAP module to talk to your AD domain controllers. You can configure the LDAP module to look up users and in the post-auhorize section of the virtual server where you can check if the user is i.e. part of a certain group. (what I do) If you have separate OUs you may read the DistinguishedName attribute and do some matching based on that. Concerning the 2 SSIDs: Depending on your wireless hardware you may be able to do radius-based VLAN assignment where you can (after checking the authorization) add to the reply to the AP or Wireless controller the VLAN ID. The AP or controller will then put the respective traffic in the respective VLAN. This way you can have 1 SSID for all users but they will be put in their respective VLAN which keeps staff and students separate from each other.
From a support perspective it's useful since you have to tell users to just connect to this one SSID (they don't have to think about who they are and then select the right SSID).
It's only pointers here but if you can share your current configuration (i.e. if you followed the AD documentation on the Wiki) more precise answers may be possible. -- Mathieu
We currently have an OpenLDAP server where we have users in various OUs.We also have Active Directory with our students and staff in different OUs. How do we configure radius to authenticate with a particular OU instead of everything?For example, only have it authenticate with OU=students. Thanks. From: Mathieu Simon (Lists) <matsimon.lists@simweb.ch> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Thursday, April 28, 2016 2:56 PM Subject: Re: Freeradius with AD Hi Jose Am 28.04.2016 um 20:28 schrieb Jose via Freeradius-Users: [...]
My boss wants me to tweak the system a bit to separate staff from students. We have an OU for staff and another for students. The problem I have is I have no idea where in radius do I configure this option. We want to be able to tell radius that if a student logs into for example to the staff SSID they are rejected but if they log into their student SSID, access is granted.
How do I make that happen? Thank very much for any help you can provide. So what you (likely) do is authentication (are the credentials correct?) but no authorization (is the person allowed?).
I guess that you'll want to look into LDAP authorization. For that you'll have to setup and enable the LDAP module to talk to your AD domain controllers. You can configure the LDAP module to look up users and in the post-auhorize section of the virtual server where you can check if the user is i.e. part of a certain group. (what I do) If you have separate OUs you may read the DistinguishedName attribute and do some matching based on that. Concerning the 2 SSIDs: Depending on your wireless hardware you may be able to do radius-based VLAN assignment where you can (after checking the authorization) add to the reply to the AP or Wireless controller the VLAN ID. The AP or controller will then put the respective traffic in the respective VLAN. This way you can have 1 SSID for all users but they will be put in their respective VLAN which keeps staff and students separate from each other.
From a support perspective it's useful since you have to tell users to just connect to this one SSID (they don't have to think about who they are and then select the right SSID).
It's only pointers here but if you can share your current configuration (i.e. if you followed the AD documentation on the Wiki) more precise answers may be possible. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Jose Am 28.04.2016 um 21:16 schrieb Jose via Freeradius-Users:
We currently have an OpenLDAP server where we have users in various OUs.We also have Active Directory with our students and staff in different OUs. How do we configure radius to authenticate with a particular OU instead of everything?For example, only have it authenticate with OU=students. Thanks.
I'm only focusing on AD for authorization, if you want to have both OpenLDAP and AD as (alternate) authentication/authorization source you'll have to make things a bit different (i.e. more mingling with unlang(5) ), that aside: The link you sent only shows AD authentication. Since AD doesn't allow reading the password directly is why you need Samba/winbind to validate credentials.* (also look in the FreeRADIUS wiki) However your AD can be accessed for authorization like (almost?) any other LDAP directrory server using the rlm_ldap module. Consider reading the wiki page on the LDAP module rlm_ldap**, its manpage as well as the default config file of rlm_ldap. It contains useful comments. I can only recommend using 3.0 if you didn't already started with that version. rlm_ldap in 3.0.x has become easier to configure than in it used to be with 2.0.x. You'll have to configure rlm_ldap to connect to your AD servers including the attribute values that AD uses (like uid vs. sAMAccountName) and make sure the ldap module is enabled in your config. When done you can add checks in the post-auth section of inner-tunnel (if using PEAP-MSCHAPv2) similar to the examples in the FR wiki. You'll definitely want to read the unlang(5) manpage in order to do other things like matching the OU which is part of the distinguishedName attribute in AD. Hope that gives you some ideas to look further. -- Mathieu *See: http://deployingradius.com/documents/protocols/oracles.html ** http://wiki.freeradius.org/modules/Rlm_ldap
participants (2)
-
Jose -
Mathieu Simon (Lists)