Setting ntlm_auth parameters depending on NAS-IP-Address

Antoine Benkemoun antoine.benkemoun at nexthink.com
Wed May 7 11:03:19 CEST 2014


Thank you for your answer and sorry for overlooking this.

The syntax that I have added to <RADIUS_ETC_DIR>/sites-enabled/default is the following :

    if (NAS-IP-Address == 172.16.2.254) {
        ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387"
    }
    if (NAS-IP-Address == 172.16.0.200) {
        ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1459"
    }

The idea is to set this variable in function of NAS-IP-Address.  I have tried putting double quotes around the IP and using ":=" instead of "=" but that still didn't work.

The error I get is :  

Module: Checking authorize {...} for more modules to load
/etc/freeradius/sites-enabled/default[72]: Unknown action 'S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387'.
/etc/freeradius/sites-enabled/default[69]: Errors parsing authorize section.

This is what makes me think that I am doing something incorrectly in terms of variable assignment because the conditional seems to happen correctly.

Antoine

________________________________________
From: freeradius-users-bounces+antoine.benkemoun=nexthink.com at lists.freeradius.org <freeradius-users-bounces+antoine.benkemoun=nexthink.com at lists.freeradius.org> on behalf of Stefan Paetow <Stefan.Paetow at ja.net>
Sent: Wednesday, May 7, 2014 10:23 AM
To: FreeRadius users mailing list
Subject: RE: Setting ntlm_auth parameters depending on NAS-IP-Address

What's the error message when you try to run radiusd -X?

Without the debug output, no-one knows what your condition was that you inserted, or where you inserted it, or what the error message is.

Stefan


-----Original Message-----
From: freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org] On Behalf Of Antoine Benkemoun
Sent: 07 May 2014 08:28
To: freeradius-users at lists.freeradius.org
Subject: Setting ntlm_auth parameters depending on NAS-IP-Address

Hello,

We currently have a Freeradius server version 2.1.12 used to authenticate our Wifi users against our Active Directory server. The link between Freeradius and the Active Directory is done by Winbind. In order for the user to be able to obtain authorization, it needs to be belong to a group in the Active Directory. This is done by adding an argument to the ntlm_auth command and it works great so far.

We are now adding 802.1X to our cabled networks and would like to re-use the existing Radius server to authenticate against the same Active Directory. Everything will be the same except the authorization will need to be based on whether the user belongs to a different one than that of the Wifi networks.

I have browsed the Freeradius documentation as much as possible and have seen that it is possible to use conditionnals and variables. My plan  therefore was to put a variable in the ntlm_auth command that would contain the group SID (as suggested on this mailing-list : http://freeradius.1045715.n5.nabble.com/Different-Auth-Methods-based-on-client-entries-with-ntlm-auth-td4429781.html). The group SID would be dependent on the IP of the network device which should be contained in "NAS-IP-Address".

This should just be a case of writing a simple conditionnal statement and setting a variable. Nonetheless, I have not been able to do this as Freeradius will not start every time I try to add a conditional to the configuration files. I have tried doing it in the "default" site and a few other places.

How would I go about doing this ? Where would I put the conditional and how would I write it ?

Thank you in advance for your help,

Antoine


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list