freeRadius against Active Directory
p.mayers at imperial.ac.uk
Tue Oct 9 11:10:47 CEST 2012
On 09/10/12 07:51, Martin.Heinzmann at belden.com wrote:
> I thought the whole meaning of binding a freeRadius to an Active
> Directory is that I have from now on just to configure Users in the AD.
> So every device I want to authenticate on asks the FR which then asks
> the AD. So the AD will answer if the User is valid and which
> Service-Type he has.
Service-Type is a RADIUS thing. AD is a Microsoft LDAP server & some
other protocols. It doesn't have a Service-Type attribute. You will need
to query AD, and define a mapping from some AD attribute to Service-Type.
You will need to use the "ldap" module for this; see in particular
ldap.attrmap that lets you define mappings from LDAP attributes to
RADIUS reply attributes.
Note: the LDAP bit of AD is really separate from the "authentication"
bit. They're separate, and are configured separately.
> On my AD Server I installed the Role NPS, configured a RADIUS-Client and
> some Network Policies. Maybe I am on the right way, maybe not... :-(
I doubt it. I don't see how that would help.
> The AD succesfully tells the FR if the user is valid, just that
> Service-Type is missing.
Again - Service-Type is a RADIUS thing. AD doesn't speak RADIUS. You
need to define a translation / mapping.
More information about the Freeradius-Users