Autz-Type Config Clarification
affora deeb
engineerafraa at gmail.com
Thu Aug 24 10:07:21 CEST 2006
please would u help me to set up free radius step by step on linux and the
confiuration as soon as possible
On 8/22/06, Nathan L. Cable <nathan at filmwest.com> wrote:
>
> Thank you very much for that! That was exactly the solution I was looking
> for. Now, I only have one instance of mschap, and the physical location
> of
> the wireless access points defines which group mschap looks for users in.
>
> Unfortunately, Windows Server 2003's LDAP server was not an option at my
> site because the passwords are not stored in the database. So, mschap was
> the next choice.
>
> Thank you very much for that solution - it's much more elegant than
> anything
> I've managed to come up with so far!
>
> Nathan
>
> PS. For anyone wanting to use Apple wireless points with their network,
> used the "Calling-Station-ID" attribute to identify your base stations,
> not
> the "Called-Station-ID". The latter does not work for my particular
> setup.
>
>
> > From: Phil Mayers <p.mayers at imperial.ac.uk>
> > Reply-To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Date: Mon, 21 Aug 2006 12:40:42 +0100
> > To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org
> >
> > Subject: Re: Autz-Type Config Clarification
> >
> > Nathan L. Cable wrote:
> >> I'm setting up a Radius environment which covers several physical
> sites.
> >> Usernames and passwords come from an Active Directory server via
> ntlm_auth.
> >> Each site has a group in the NT domain. So, it would be nice to have
> >> multiple auth-types for each area.
> >
> > You don't want and probably shouldn't use multiple auth-types. You want,
> > as per your subject line, multiple Autz-Types. The behaviour of the
> > mschap module can be controlled by setting variables based on Autz-Type
> > then using them later on.
> >
> >>
> >> For clarification, I've tested my server without the Autz-type
> arguments
> >> (ie, only using the one mschap instance), and everything works fine.
> >> Everything also works great if I declare multiple instances of mschap,
> and
> >> just have the radius server search through them in order - however,
> this
> >> seems to be a rather inefficient way of doing things.
> >
> > It's also not guaranteed to work I think.
> >
> >>
> >> The debug output of radiusd indicates that my modules are being loaded,
> but
> >> when the client authenticates, it's not done so against an auth-type.
> >>
> >> Any thoughts as to why this is not working?
> >>
> >> Here are the relevant portions of my config files:
> >>
> >> # radiusd.conf:
> >>
> >> .
> >> .
> >> .
> >> modules {
> >> .
> >> .
> >> .
> >> mschap group1 {
> >> authtype = group1
> >> ...some config stuff...
> >> }
> >> mschap group2 {
> >> authtype = group2
> >> ...some config stuff...
> >> }
> >> }
> >> .
> >> .
> >> .
> >> authorize {
> >> preprocess
> >> files
> >> Autz-Type group1 {
> >> group1
> >> }
> >> Autz-Type group2 {
> >> group2 {
> >> }
> >> eap
> >> }
> >>
> >> authenticate {
> >> Auth-Type group1 {
> >> group1
> >> }
> >> Auth-Type group2 {
> >> group2 {
> >> }
> >> eap
> >> }
> >> .
> >> .
> >> .
> >>
> >> # users
> >> DEFAULT Called-Station-Id == "00-11-22-33-44-55-66",Autz-Type := group1
> >> DEFAULT Autz-Type = group2
> >
> > What precisely are you trying to do here?
> >
> > You may be better off using the "ldap" module against the AD to pull the
> > groups into the radius server and make decisions there, which is
> > *separate* from the running of the authentication algorithm.
> >
> > Failing that, you could do this:
> >
> > DEFAULT Called-Station-Id == "00-11-22-33-44-55"
> > Tmp-String-1 = "group1"
> >
> > DEFAULT
> > Tmp-String-1 = "group2"
> >
> > ...then have:
> >
> > modules {
> > mschap {
> > ntlm_auth = "ntlm_auth
> > --require-membership-of=%{reply:Tmp-String-1:-Domain Users
> --other-options"
> > }
> > }
> >
> > authorize {
> > preprocess
> > files
> > mschap
> > eap
> > }
> > authenticate {
> > Auth-Type MSCHAP {
> > mschap
> > }
> > }
> >
> > If you are on an older version of the server you may need to define the
> > Tmp-String-1 attributes like so in "dictionary":
> >
> > ATTRIBUTE Tmp-String-1 3000 string
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060824/363770c5/attachment.html>
More information about the Freeradius-Users
mailing list