RE: MSSCHAP auth + LDAP authorizaton (Working. Sort Of)
OK, I achieved my goal to get freeradius authenticate via mschap challenge-response and authorize via LDAP search. I's working, though, I'm not sure, that I'm doing it right. This "solution" works only with one group (my example, VPNusers). I think it is not expandable to the scenario like: "authorize user when it belongs to the group VPNusers autohorize user when it comes form IP of some WiFi access point disregarding any groups" So, I'm looking forward to any suggestions how to make this configuration better and expandable. But this far, when you have only one group and no IF, AND, OR logic is neccessary, following will work: MSCHAP Follow this great tutorial http://deployingradius.com/documents/configuration/active_directory.html If last part gives you an error (like it did to me) check if freeradius user have rights to talk with winbind. ldap module conf ldap { <------>server = "local.track.ee" <------>identity = "CN=ldapbind,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee" <------>password = "XXXXXXXXXXXXXXX" #Note to Tobias Haschmer - ldapbind user needs to be specifically configured in AD! # follow this instruction http://www.advproxy.net/ldapads.html <------>basedn = "DC=local,DC=track,DC=ee" <------>filter = "(&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee))" <------>#base_filter = "(objectclass=radiusprofile)" Suggestions: test your queries and ldap stuff on some LDAP client. Like JExplorer (its free) #magic parameters for AD LDAP to work <------> chase_referrals = yes <------> rebind = yes inner-tunnel and default, authorize stanza
ldap { <------> notfound = reject <------> }
It's not very flexible configuration, list user Matthew Newton had some ideas, how to make it better. A.
Il 04/04/2012 12:49, Andres Septer ha scritto:
OK, I achieved my goal to get freeradius authenticate via mschap challenge-response and authorize via LDAP search. I's working, though, I'm not sure, that I'm doing it right. This "solution" works only with one group (my example, VPNusers). I think it is not expandable to the scenario like:
"authorize user when it belongs to the group VPNusers autohorize user when it comes form IP of some WiFi access point disregarding any groups" Why not setting the group to check membership of in a variable based on the NAS sending the request? Or, maybe, by using huntgroups (not sure... still have to understand 'em fully).
BYtE, Diego.
participants (2)
-
Andres Septer -
NdK