mpd+freeradius+AD
Егоров Сергей
admin at i-on.ru
Wed Jun 28 11:22:59 CEST 2006
>This is Framed-IP-Address in radius dialect.
Thanks for explaining freeradius basic concepts. I understood, that to assign IP to user I should use users freeradius file. But I couldn't configure it correctly. Now I have only one line in this file
DEFAULT Auth-Type := MS-CHAP
I've add another string (for user test), but it doesn't correct
test Auth-Type := MS-CHAP,
Framed-IP-Address = 192.168.10.65,
Fall-Through = Yes
That should I fix?
-----Original Message-----
From: Nikos Vassiliadis [mailto:nvass at teledomenet.gr]
Sent: Monday, June 26, 2006 5:09 PM
To: freeradius-users at lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 14:04, Егоров Сергей wrote:
> Thanks for reply.
>
> >You can use one of the three firewalls avaliable in the base system(ipfw,
> > >ipf and pf), however mpd comes with a small dictionary that uses
> > ipfw(8) >and you can easily define some filter bound to an interface
> > (bound to a >username) via a radius reply attribute, let filter be a
> > pipe(for bandwidth >control) or a packet filtering expression.
>
> That's fine for filtering vpn users access to local net. But how could I
> assign specific IP for specific user in AD?
>
> > Your questions don't clearly tell where your problem is.
> >Active Directory? mpd? or FreeRADIUS? You should define
> >them better in order to get help from the list.
>
> My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
> 2003 can do 1 and 2 in my questions, so I have to realize how to setup this
> in mpd + freeradius. I already authenticate users from AD group:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}
> --require-membership-of=EXAMPLE+VPN_Allowed".
>
> But I have several vpn groups and need to setup timeouts on each one.
setup timeout? This looks like Session-Timeout in radius dialect.
> Also
> I need to I assign specific IP for specific user in AD.
This is Framed-IP-Address in radius dialect.
> Looks like
> FreeRadius should respond for this.
Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.
A few suggestions, Nikos
More information about the Freeradius-Users
mailing list