Can't figure out Group Authentication
dhanushka ranasinghe
parakrama1282 at gmail.com
Wed Jun 27 05:50:52 CEST 2012
Hi...
i able to get the openldap group authentication + PAP with radius , i
used the following settings ,
in users file ,
DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=openldap,dc=ihk,dc=com"
Reply-Message = "You are Accepted"
DEFAULT Auth-Type := Reject
and in /etc/freeradius/moduls/ldap
server = "ldap.ihx.com"
identity = "cn=admin,dc=openldap,dc=ihx,dc=com"
password = abc
basedn = "dc=openldap,dc=ihx,dc=com"
filter = "(mail=%{Stripped-User-Name:-%{User-Name}})"
access_attr = "mail"
authtype = ldap
and uncomment the following lines in the /etc/freeradius/modules/ldap
groupname_attribute
groupmembership_filter
groupmembership_attribute
hope this helps,
Thank You
On 26 June 2012 20:44, Julson, Jim <jjulson at marketron.com> wrote:
> Forgive my ignorance, but the variable that you are suggesting I use would
> be something that I had to create locally on my RADIUS servers right? The
> idea is that we use our central point of management which in our case is
> Active Directory. We have hundreds of servers ranging from RHEL 3 up to
> Ubuntu 12.04 as well as Windows boxes. So managing groups on a "per radius
> server" basis isn't really a good choice from a management perspective.
> Using the Active Directory domain, we can have our admins move folks in
> and out of groups as necessary.
>
> Did I understand your suggestion right? Or is that variable
> "--require-membership-of=" something that can help me achieve what I want
> to do? I thought I had to use LDAP for Group Authorization...
>
> -----Original Message-----
> From: freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org[mailto:
> freeradius-users-bounces+jjulson=marketron.com at lists.freeradius.org] On
> Behalf Of NdK
> Sent: Tuesday, June 26, 2012 3:36 AM
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Can't figure out Group Authentication
>
> Il 22/06/2012 17:32, Julson, Jim ha scritto:
>
> > Now, the problem is this. Following Alan DeKok's guide at
> http://deployingradius.com/documents/configuration/active_directory.html,
> I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal
> effort. There were a few things I had to go elsewhere to figure out, but I
> managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I
> was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This
> RADIUS server will be for authenticating users on all of our Cisco devices,
> as well as remote access VPN users. So the problem is this. It's
> authenticating...a little too well.
>
>
>
> Why not add a "default group" var (to be overridden for specific
> clients) and pass it to ntlm_auth in "--require-membership-of="
> parameter? That way you can filter who can authenticate from any NAS.
> And IIUC huntgroups, you can even define groups of clients...
>
> Please correct me if I'm wrong.
>
> BYtE,
> Diego.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> The information contained in this e-mail message may be confidential and
> protected from disclosure. If you are not the intended recipient, any
> dissemination, distribution or copying is strictly prohibited. If you
> think that you have received this e-mail message in error, please notify
> the sender immediately by replying to this message and then delete it
> from your system.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120627/3472113d/attachment-0001.html>
More information about the Freeradius-Users
mailing list