Group verification with Multiple SSID
Chitrang Srivastava
chitrang.srivastava at gmail.com
Mon Oct 1 14:28:21 CEST 2012
Hi,
I have a use case where I have 2 SSID and 2 databases of users , one
locally configured users in a group and other set of users on a LDAP server.
SSID 1 - > Local group of users on radius server
SSID 2 -> Set of user configured in LDAP
Authentication : PEAP- MSCHAPv2
I have modified mschap module to do ntlm_auth for SSID2 and use default
mschap module for SSID 1, So now I have 2 mschap module in my radiusd.conf
and uses unland to place if-elsif condition in authroize and authenticate
block.
Above setup is working fine.
But I also need to verify ldap group ( i.e. user belongs to group or not) ,
Issues is , for SSID 1 users , radiusd is trying to do a group comparison
on ldap server , which eventually fails. I guess the reason for this we
have 1 users file and for each user radiusd refers that , Their should be
way for radiusd to know which user file to refer for each SSID.
To solve the issues I have create 2 users file
users - > for LDAP users group policy
users_local -> for local users
create 2 modules like this:
*files_local* {
usersfile = ${confdir}/*users_local* *----> Above
created file*
acctusersfile = ${confdir}/acct_users
compat = no
}
and modified *authroize* block
if (Wlan == "local") {
* files_local *
}
elsif (Wlan == "ldap") {
redundant {
ldap_primary
ldap_secondary
}
}
else {
*files_local*
}
It seems to be working , Just wanted to check with experts here , is this
is the way to go ?
or their is some other simpler way ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121001/58d75e74/attachment-0001.html>
More information about the Freeradius-Users
mailing list