Can't figure out Group Authentication

dhanushka ranasinghe parakrama1282 at gmail.com
Wed Jun 27 05:50:52 CEST 2012


Hi...

i able to get the openldap group authentication + PAP  with radius  , i
used the following settings ,

in users file ,

DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=openldap,dc=ihk,dc=com"
Reply-Message = "You are Accepted"

DEFAULT Auth-Type := Reject


and in  /etc/freeradius/moduls/ldap

        server = "ldap.ihx.com"
        identity = "cn=admin,dc=openldap,dc=ihx,dc=com"
        password = abc
        basedn = "dc=openldap,dc=ihx,dc=com"
        filter = "(mail=%{Stripped-User-Name:-%{User-Name}})"
        access_attr = "mail"
        authtype = ldap



and uncomment the following lines in the /etc/freeradius/modules/ldap

 groupname_attribute
 groupmembership_filter
 groupmembership_attribute

hope this helps,


Thank You

On 26 June 2012 20:44, Julson, Jim <jjulson at marketron.com> wrote:

> Forgive my ignorance, but the variable that you are suggesting I use would
> be something that I had to create locally on my RADIUS servers right?  The
> idea is that we use our central point of management which in our case is
> Active Directory.  We have hundreds of servers ranging from RHEL 3 up to
> Ubuntu 12.04 as well as Windows boxes.  So managing groups on a "per radius
> server" basis isn't really a good choice from a management perspective.
>  Using the Active Directory domain, we can have our admins move folks in
> and out of groups as necessary.
>
> Did I understand your suggestion right?  Or is that variable
> "--require-membership-of=" something that can help me achieve what I want
> to do?  I thought I had to use LDAP for Group Authorization...
>
> -----Original Message-----
> From: freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org[mailto:
> freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org] On
> Behalf Of NdK
> Sent: Tuesday, June 26, 2012 3:36 AM
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Can't figure out Group Authentication
>
> Il 22/06/2012 17:32, Julson, Jim ha scritto:
>
> > Now, the problem is this.  Following Alan DeKok's guide at
> http://deployingradius.com/documents/configuration/active_directory.html,
> I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal
> effort.  There were a few things I had to go elsewhere to figure out, but I
> managed.  I have FreeRADIUS setup and authenticating using NTLM_AUTH.  I
> was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This
> RADIUS server will be for authenticating users on all of our Cisco devices,
> as well as remote access VPN users.  So the problem is this.  It's
> authenticating...a little too well.
>
>
>
> Why not add a "default group" var (to be overridden for specific
> clients) and pass it to ntlm_auth in "--require-membership-of="
> parameter? That way you can filter who can authenticate from any NAS.
> And IIUC huntgroups, you can even define groups of clients...
>
> Please correct me if I'm wrong.
>
> BYtE,
>  Diego.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> The information contained in this e-mail message may be confidential and
> protected from disclosure.  If you are not the intended recipient, any
> dissemination, distribution or copying is strictly prohibited. If you
> think that you have received this e-mail message in error, please notify
> the sender immediately by replying to this message and then delete it
> from your system.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120627/3472113d/attachment-0001.html>


More information about the Freeradius-Users mailing list