must i use rlm_ldap to use groups/ou via winbind/Active Directory?

Fri May 22 22:37:33 CEST 2009

On Fri, May 22, 2009 at 1:03 PM, Ivan Kalik <tnt at kalik.net> wrote:
>
>> Problem:
>>
>> I want to enforce different access policies for users depending on who
>> they are and where they try to authenticate.
>>
>> (1) If students or teachers try to authenticate on the wired lan I
>> want my dot1x capable NAS to provide access only  if they user has a
>> computer cert and valid domain credentials
>
> You enforce computer authentication on your hardware. If there is no mac
> auth bypass computer certificates will have to be used.

I am not sure what you mean by "mac auth bypass." Can you explain.

I think I am able to enforce certificate usage all of the time
but I am not sure how to enforce it only on certain NAS and not
require it on other NAS.

>
> Numbers of users should determine which policy (let's call this one
> wired_vlan) should go first.
>
>> (2) If students try to connect via the student wireless lan they must
>> only receive access if they are a member of the Active Directory based
>> "student wireless users group", e.g. no staff member should be able to
>> join.
>
> This is straightforward use of huntgroups/sqlhuntgroups in combination
> with Ldap-Group (your AD should be configured in ldap module).
>
>> (3) If teachers try to connect via the teacher wireless lan, I want
>> them to connect only if they HAVE a computer cert AND they have valid
>> credentials. e.g only members of the Active Directoy based "staff
>> group" using computers with a valid host credential may receive
>> access.
>
> This combination of two above.
>
> Create huntgroups/sqlhuntgroups wired_vlan, student_vlan and teacher_vlan.
> Then put this in authorize (inner-tunnel, where ldap + preprocess is
> enabled if you are using huntgrups file or you have ldap + unlang
> statements described in sql huntgroups howto):
>
> if(Huntgroup-Name == "student_vlan" && Ldap-Group == "student") {
>     ok
> }
> elsif(Huntgroup-Name == "wired_vlan") {
>     ok
> }
> elsif(Huntgroup-Name == "teacher_vlan" && Ldap-Group == "staff") {
>     ok
> }
> else {
>     reject
> }
>
> That will allow only users with valid credentials accessing with stated
> vlans or vlan/group combinations.

Thanks Ivan,

So this policy would check the huntgroup that the NAS was a member of
and then go on to check if the users was part of the proper
Ldap-Group and assuming that both were true then access would be
granted. I am still not clear how  some hunt groups will always
require a host cert and others never will. Is this set in the hunt
group?

Alan, I can't wait for your book to be published!

Thanks for your reply.

John