PEAP MSCHAP2 Freeradius Active Directory
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jun 28 22:20:11 CEST 2006
fvt3 wrote:
> Hi,
>
> I have a question on configuring freeradius to return
> vlan attributes base on a user group membership or ou.
> I have a windows client xp sp2 using peap mschap2 to
> authenticate off radius. How do I set radius to
> return a vlan id of 10 if the user belongs to the
> student group and if the user belongs to the teacher
> group the user get a vlan id of 20? I have freeradius
> to authenticate of Active Directory but its only
> returning one vlan..
>
> DEFAULT NAS-Port-Type == "Wireless-802.11"
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = 10,
> Tunnel-Type = VLAN
>
> Do I have add something else in the user file?
You will need to configure the LDAP module to fetch groups from ADs LDAP
server. See copious documentation or posts to the list. Broadly, once
the LDAP module is setup correctly:
DEFAULT NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Students"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 10,
Tunnel-Type = VLAN
DEFAULT NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Staff"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 20,
Tunnel-Type = VLAN
Alternatively if you fill AD in from some external system e.g. SQL
database you can pull from there, or dump the groups to a file like so:
username:groupname
...and use the (poorly-named) "passwd" module to add the group.
More information about the Freeradius-Users
mailing list