Checking SSID via A/D Group
Garber, Neal
Neal.Garber at energyeast.com
Fri Jun 23 16:39:10 CEST 2006
We use Cisco 1232 AP's with EAP-PEAP-MSCHAPv2 to a Cisco ACS (RADIUS
server).
We would like to restrict access to SSIDs based upon Windows group
membership. The
ACS server is not capable of doing this. I currently have FreeRadius
(1.1.2) installed under
FreeBSD with OpenSSL 0.9.7d-p1 17 and Samba 3.0.20b. If the server is
joined to an
Active Directory domain, would it be possible to not just authenticate
user/pwd through
Samba, but also to check for Windows group membership based upon the
SSID to which
the user is trying to authenticate? If this is possible, can you
suggest the general approach
to implementing this?
For instance, if we have SSID's: ssid1, ssid2 and ssid3 and we want to
map
ssid1 -> Windows group "ssid1 users"
ssid2 -> Windows group "ssid2 users"
ssid3 -> Windows group "ssid3 users"
such that if the user is a member of the group and their credentials are
valid, FreeRadius
would return Access-Accept. If they aren't a member of the group or
their credentials
are invalid, it would return Access-Reject.
I've seen some threads talking about putting a SSID attribute in LDAP.
But, user's could
be authorized for more than one SSID so it doesn't seem like that
approach would work.
Also, administratively, it's easier to identify/manage who is authorized
for which SSIDs if
it is done via group membership as opposed to a user attribute.
Also, does FreeRadius support changing of passwords via MSCHAP to Active
Directory when
the password is expired?
Thank you in advance for any help/guidance you can provide.
Neal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060623/4ecfab02/attachment.html>
More information about the Freeradius-Users
mailing list