Setting ntlm_auth parameters depending on NAS-IP-Address
antoine.benkemoun at nexthink.com
Wed May 7 09:27:46 CEST 2014
We currently have a Freeradius server version 2.1.12 used to authenticate our Wifi users against our Active Directory server. The link between Freeradius and the Active Directory is done by Winbind. In order for the user to be able to obtain authorization, it needs to be belong to a group in the Active Directory. This is done by adding an argument to the ntlm_auth command and it works great so far.
We are now adding 802.1X to our cabled networks and would like to re-use the existing Radius server to authenticate against the same Active Directory. Everything will be the same except the authorization will need to be based on whether the user belongs to a different one than that of the Wifi networks.
I have browsed the Freeradius documentation as much as possible and have seen that it is possible to use conditionnals and variables. My plan therefore was to put a variable in the ntlm_auth command that would contain the group SID (as suggested on this mailing-list : http://freeradius.1045715.n5.nabble.com/Different-Auth-Methods-based-on-client-entries-with-ntlm-auth-td4429781.html). The group SID would be dependent on the IP of the network device which should be contained in "NAS-IP-Address".
This should just be a case of writing a simple conditionnal statement and setting a variable. Nonetheless, I have not been able to do this as Freeradius will not start every time I try to add a conditional to the configuration files. I have tried doing it in the "default" site and a few other places.
How would I go about doing this ? Where would I put the conditional and how would I write it ?
Thank you in advance for your help,
More information about the Freeradius-Users