FreeRADIUS and Active Directory Integration
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Wed Jul 22 19:06:14 CEST 2015
Hi,
> I'm sure you're reading the subject going "ugh not another one". But there is so much documentation out there and all of it slightly different that I don't know which end is up at this point. I would like to use FreeRADIUS to authenticate VPN users and wireless, and I'm working on VPN right now. From what I understand so far, I want to use LDAP to check if the person is in the right group first, and if not reject them. If they are in the right group then authenticate using ntlm_auth. I am also understanding that the place to do this is no longer the users/authorize file and that it should be done in the 'default' file using 'unlang'. Is this correct so far? If so, can someone give me an example of the 'unlang' portion?
i
depends on the auth type. if the VPN is just a PAP request then you can use ntlm_auth *OR* kerberos. ntlm_auth
config will need to be changed as its not challenge-response for PAP...krb5 just works. for wireless, thats PEAP or EAP-TTLS
with MSCHAPv2 (ntlm_auth, standaard) or PAP (kerberos again).
as for doing it in 'default' - well, thats down to you and how you are going about things... I'd avoid touching the default
server and create a duplicate, name it something else and configure clients.conf to point to that virtual-server..thus you can edit
it, play with it and have the default server as 'virgin territory' to compare options and how the server shipped originally.
man unlang
for how to operate with unlang good starting point for understanding syntax and language - then look at resources
(and the mailing list history is a great place... google for unlang ldap group membership etc
alan
More information about the Freeradius-Users
mailing list