must i use rlm_ldap to use groups/ou via winbind/Active Directory?

john lists.john at gmail.com
Fri May 22 21:27:40 CEST 2009


Hi all,

I am gradually refining my thinking thanks to help from Ivan and
others on the list.

I am using the current freeradius stable along with Active Directory
to provide dot1x based access for our school district.

Our test setup looks like this:

active directory <=>winbind<=> Freeradius<=>NAS<=>supplicant

Problem:

I want to enforce different access policies for users depending on who
they are and where they try to authenticate.

(1) If students or teachers try to authenticate on the wired lan I
want my dot1x capable NAS to provide access only  if they user has a
computer cert and valid domain credentials

(2) If students try to connect via the student wireless lan they must
only receive access if they are a member of the Active Directory based
"student wireless users group", e.g. no staff member should be able to
join.

(3) If teachers try to connect via the teacher wireless lan, I want
them to connect only if they HAVE a computer cert AND they have valid
credentials. e.g only members of the Active Directoy based "staff
group" using computers with a valid host credential may receive
access.

One solution would be two have two different radius servers, and point
different NAS clients at the appropriate server, but I this is
probably not the "right" way to do this.

Ideally, I should be able to do it all from a single radius server
with appropriate controls. I see that in the past folks have done
similar things with openLdap and freeradius. But I think that using
winbind may have changed this for users of Active Directly.

I am not sure how to proceed. I would appreciate any guidance you wish to share.

Thanks!

John



More information about the Freeradius-Users mailing list