Can't figure out Group Authentication

Julson, Jim jjulson at MARKETRON.COM
Tue Jun 26 17:14:49 CEST 2012


Forgive my ignorance, but the variable that you are suggesting I use would be something that I had to create locally on my RADIUS servers right?  The idea is that we use our central point of management which in our case is Active Directory.  We have hundreds of servers ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes.  So managing groups on a "per radius server" basis isn't really a good choice from a management perspective.  Using the Active Directory domain, we can have our admins move folks in and out of groups as necessary.  

Did I understand your suggestion right?  Or is that variable "--require-membership-of=" something that can help me achieve what I want to do?  I thought I had to use LDAP for Group Authorization...

-----Original Message-----
From: freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org] On Behalf Of NdK
Sent: Tuesday, June 26, 2012 3:36 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Can't figure out Group Authentication

Il 22/06/2012 17:32, Julson, Jim ha scritto:

> Now, the problem is this.  Following Alan DeKok's guide at http://deployingradius.com/documents/configuration/active_directory.html, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort.  There were a few things I had to go elsewhere to figure out, but I managed.  I have FreeRADIUS setup and authenticating using NTLM_AUTH.  I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users.  So the problem is this.  It's authenticating...a little too well.



Why not add a "default group" var (to be overridden for specific
clients) and pass it to ntlm_auth in "--require-membership-of="
parameter? That way you can filter who can authenticate from any NAS.
And IIUC huntgroups, you can even define groups of clients...

Please correct me if I'm wrong.

BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information contained in this e-mail message may be confidential and
protected from disclosure.  If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.



More information about the Freeradius-Users mailing list