Can't figure out Group Authentication

Alan DeKok aland at deployingradius.com
Sat Jun 23 14:22:13 CEST 2012


Julson, Jim wrote:
> Now, I then setup my Cisco router accordingly, and then did an SSH test
> to it using my AD Account.  Voila!  It worked great.  _*/However, so did
> every other "Domain User" account in the environment.  /*_ This goes
> back to me being so new to RADIUS and Linux where I don't feel like I'm
> fully grasping all of the directives within the configuration files, and
> exactly how they all tie together.

  Honestly, I don't remember much of that, either.  When I configure the
server, I usually go back and read the comments *I wrote* to figure out
what to do.

  But for your issue, you told the server to "use AD to authenticate all
users".  So that's what it did.

> *So, how do I lock down the SSH Authentication to an Active Directory
> Group of users, or individual users? * Remember, go easy on me.  I'll
> provide whatever you need to help.  I'm assuming you will ask for my
> RADIUSD -X output, so I've attached that as well. 

1) configure AD as an LDAP server.  See raddb/modules/ldap

2) add "ldap" to the "instantiate" section of radiusd.conf
   There are references to "ldap" in "authorize" and "authentication"
   You won't need those.

3) Do group checking with LDAP-Group == "group name"

  See the FAQ for examples of rejecting users with a particular group.
The FAQ uses "Group", which is "Unix group from /etc/passwd".  Just use
LDAP-Group instead.

> NOTE:  One thing I don't understand is how in Alan DeKok's write up from
> the link above, he says don't use the "DEFAULT    Auth-Type = ntlm_auth"
> in the "/etc/raddb/users" file, but yet that's one of the final steps to
> test in the write-up.

  It's an intermediate step.  It's necessary only when you're forcing
authentication back-ends.

>  Maybe it's because I am so new, but I've been
> through that document probably 30 times line by line, and yet every time
> I remove that entry, it breaks the Authentication. 

  Yes.  The server needs to now HOW to authenticate the users.  The
incoming RADIUS packet contains what KIND of authentication method.
PAP, CHAP, MS-CHAP, etc.  So the server has no choice there.

  But where does it get the passwords from?  Normally this is a DB.  But
AD isn't a DB (for various reasons).  Instead, the "Auth-Type =
ntlm_auth" reformats and *proxies* the authentication over the Samba
protocol, using the ntlm_auth program.

  i.e. it hands off the MSCHAP stuff to ntlm_auth, and asks "is this
correct?"

  If the server has passwords from a DB, it can just authenticate the
user directly.  If it doesn't have a password for that user, it has to
hand off the authentication to someone else.

  Alan DeKok.


More information about the Freeradius-Users mailing list