FW: mpd+freeradius+AD

Егоров Сергей admin at i-on.ru
Thu Jun 29 14:28:30 CEST 2006

>This is Framed-IP-Address in radius dialect.

Thanks for explaining freeradius basic concepts. I understood, that to assign IP to user I should use users freeradius file. But I couldn't configure it correctly. Now I have only one line in this file


I've add another string (for user test), but it doesn't correct

test   Auth-Type := MS-CHAP,
       Framed-IP-Address =,

That should I fix?

-----Original Message-----
From: Nikos Vassiliadis [mailto:nvass at teledomenet.gr] 
Sent: Monday, June 26, 2006 5:09 PM
To: freeradius-users at lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD

On Monday 26 June 2006 14:04, Егоров Сергей wrote:
> Thanks for reply.
> >You can use one of the three firewalls avaliable in the base system(ipfw,
> > >ipf and pf), however mpd comes with a small dictionary  that uses
> > ipfw(8) >and you can easily define some filter bound to an interface
> > (bound to a >username) via a radius reply attribute, let filter be a
> > pipe(for bandwidth >control) or a packet filtering expression.
> That's fine for filtering vpn users access to local net. But how could I
> assign specific IP for specific user in AD?
> > Your questions don't clearly tell where your problem is.
> >Active Directory? mpd? or FreeRADIUS? You should define
> >them better in order to get help from the list.
> My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
> 2003 can do 1 and 2 in my questions, so I have to realize how to setup this
> in mpd + freeradius. I already authenticate users from AD group:
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>                   --username=%{Stripped-User-Name:-%{User-Name:-None}}
>                   --challenge=%{mschap:Challenge:-00}
>                   --nt-response=%{mschap:NT-Response:-00}
>                   --require-membership-of=EXAMPLE+VPN_Allowed".
> But I have several vpn groups and need to setup timeouts on each one.

setup timeout? This looks like Session-Timeout in radius dialect.

> Also 
> I need to I assign specific IP for specific user in AD.

This is Framed-IP-Address in radius dialect.

> Looks like 
> FreeRadius should respond for this.

Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active 
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.

A few suggestions, Nikos

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list