mpd+freeradius+AD

[Nikos Vassiliadis]

On Monday 26 June 2006 14:04, Егоров Сергей wrote:
> Thanks for reply.
>
> >You can use one of the three firewalls avaliable in the base system(ipfw,
> > >ipf and pf), however mpd comes with a small dictionary  that uses
> > ipfw(8) >and you can easily define some filter bound to an interface
> > (bound to a >username) via a radius reply attribute, let filter be a
> > pipe(for bandwidth >control) or a packet filtering expression.
>
> That's fine for filtering vpn users access to local net. But how could I
> assign specific IP for specific user in AD?
>
> > Your questions don't clearly tell where your problem is.
> >Active Directory? mpd? or FreeRADIUS? You should define
> >them better in order to get help from the list.
>
> My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
> 2003 can do 1 and 2 in my questions, so I have to realize how to setup this
> in mpd + freeradius. I already authenticate users from AD group:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>                   --username=%{Stripped-User-Name:-%{User-Name:-None}}
>                   --challenge=%{mschap:Challenge:-00}
>                   --nt-response=%{mschap:NT-Response:-00}
>                   --require-membership-of=EXAMPLE+VPN_Allowed".
>
> But I have several vpn groups and need to setup timeouts on each one.

setup timeout? This looks like Session-Timeout in radius dialect.

> Also 
> I need to I assign specific IP for specific user in AD.

This is Framed-IP-Address in radius dialect.

> Looks like 
> FreeRadius should respond for this.

Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active 
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.

A few suggestions, Nikos