AD Authentication Permissions
aland at deployingradius.com
Sat Jan 5 01:44:10 CET 2013
Tyler Brady wrote:
> I am setting up a freeRADIUS (2.1.10) server for my network. I have
> everything working how I want it to except for some of the permission
> settings. For example, when users log in to Motorola radios in my
> network via freeRADIUS they only receive read-only permissions. Or when
> a Cisco user logs in I would like for them to receive automatic
> #privilege level 15. I need for users to receive admin privileges. How
> do I accomplish this?
Use LDAP groups.
> NOTE: I’m authenticating against active directory. So where can I
> configure things like “/cisco/-/avpair/ = /shell/:/priv/-/lvl=15, or
> Motorola-WIBB-Auth-Role = system-admin-role?” I// understand how to
> configure permissions when you have individual users configured in
> users.conf. file. How do you configure permissions when you don’t have
> any local users configured, but are using Active Directory?/
> /Right now I use only one Active Directory group “//Radius-Users//” for
> authentication. If a user is part of the //Radius-Users// group on the
> AD server, then they get access. This is fine for now, but in the future
> I would like to set up more granular access control. I have seen a lot
> of talk about LDAP groups, but have not been able to find decent
> information on it. Ideally I would like for there to be several
> different user groups set up with different permissions for each. How do
> you accomplish this with freeRADIUS + Active Directory?/
Set up groups in LDAP. See the LDAP / AD documentation.
Then, in FreeRADIUS, check them:
#-- users file
DEFAULT LDAP-Group == "foo", ...
More information about the Freeradius-Users