AD Group Check - multi SSID - Pass "Require-membership-of" to NTLM_AUTH as variable.
Hi all, I am trying to set up a FreeRadius (v3.12 on debian8) to authenticate against MS Active Directory, with AD group membership requierement for "multiple SSID". So, for exemple, SSID-Corp-Employee is only accessible to a certain users, member of ADgroupA , and SSID-Corp-Direction, only accessible to users, member of ADgroupB When only authenticating with 1 single AD group, there is no problem, the :
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --require-membership-of=GALAXY\rad01 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re sponse}:-00}"
does the trick... So, what I thaught could be the easiest way, is to pass the "--require-membership-of=" as parameter... and even more, that AD group would be the same as the SSID ... So, when a new SSID is created, no need to change any in the freeradius, just create the AD group according to the SSID, and ... that's it. i put this in the Authorize section of "DEFAULT" and "inner-tunnel", just after the "filter_username" ############################################################ ############################# rewrite_called_station_id if (&Called-Station-SSID == "rad01") { update request { NTLM-Group-Required := "GALAXY\rad01" User-Name := "pierre" } } elsif (%Called-Station-SSID == "RAD02") { update request { NTLM-Group-Required := "GALAXY\RAD02" } } ############################################################ ############################# It seems that it's parsed correct: # policy rewrite_called_station_id = updated (76) if (&Called-Station-SSID == "rad01") { (76) if (&Called-Station-SSID == "rad01") -> TRUE (76) if (&Called-Station-SSID == "rad01") { (76) update request { (76) NTLM-Group-Required := "GALAXY\rad01" and my "NTLM_Auth" is the: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--require-membership-of=%NTLM-Group-Required --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re sponse}:-00}"
but it does not work... for information, if I replace %NTLM-Group-Required by GALAXY\rad01 it does work correct. Is there any way someone could give me advice on how to achieve this... or any other way to achieve this ? Of course, needless to say, I am no expert in "FreeRadius", so, please, excuses me if it's not the way to go, or if my assomption are wrond Thanks in advance for your reading and your time. I have join to the mail a attached file with "a radiusd -X" session.... (No idea if "attached files pass... sorry, not used the mailling list much so fare :-D ) Pierre de Jong
Hi,
So, for exemple, SSID-Corp-Employee is only accessible to a certain users, member of ADgroupA , and SSID-Corp-Direction, only accessible to users, member of ADgroupB
When only authenticating with 1 single AD group, there is no problem, the :
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --require-membership-of=GALAXY\rad01 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re sponse}:-00}"
dont do that. leave authentication alone and use authorization so, use simple LDAP check to verify if someone can connect - this scales because you match the SSID to the LDAP group..so , configure the LDAP module so it can query your LDAP (which is AD) for the users group and then if ( ldap_stuff_here != &Called-Station-SSID) { reject } LDAP stuff can either be an LDAP-Group call or a %{ldap:} call. basically, get value from LDAP and check against that supplied in the RADIUS request alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Brian Candler -
Pierre de Jong