Tricky problem with ldap and primary groups in AD

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at
Wed Aug 1 23:52:34 CEST 2012

Hi All,
  I've been searching for half the day and can't find an answer for a
question I have. I'm new to freeradius and so far am finding it a
rewarding challenge.
I have freeradius 2.1.10 up and running, querying AD via ldap and
authenticating with ntlm_auth fine.
I'm using Ldap-Group checks within the users file to check against the
AD groups. The problem I have is that the NAS we're working with (cisco
wireless Aps) does both mac address and PEAP-MSCHAPv2 authentication to
join the SSID. The PEAP bit works ok, but for the mac address bit the AD
administrators set a user up on AD with the mac address but with only
one primary group set which dictates the vlan passed back to that
particular user on a specific client machine. The Ldap-Group doesn't see
the primary group as it's set to do a "memberof" lookup. Other groups
are seen fine.
There are 3 ways I can see this working :
1)	Get the LDAP bods to assign a different primary group and use
the other group to dictate vlan membership. We've 5000 odd clients so
this isn't my favourite.
2)	Check the primarygroupid attribute out by mapping it using
ldap.attrmap and attributes in the dictionary file, but then as far as I
can tell I can't use these as checkitems within the users file. It's
also tedious to have to know the primarygroupIDs for each group. I'd
quite like the users file to be the main source of passing radius
attributes back to clients, but there may be another way?
3)	Something else a bit more clever. I've seen various examples of
java / etc ways of taking the primarygroupid, changing it's
data type and thus finding the group name, which could then maybe be
passed back to the users file. I have absolutely no idea here.

Can some please help?
Andy Franks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list