FreeRADIUS and Active Directory Integration

Scott Pickles scottpickles at yahoo.com
Wed Jul 22 20:12:19 CEST 2015


Is this correct?
[/etc/raddb/sites-available/default]
...
authorize {
        preprocess
        rewrite_calling_station_id
       
        eap {
            ok = return
            updated = return
        }
        files
        ldap
            if (LDAP-Group != 'VPN-Internal') {
                reject
            }
        ntlm_auth
    }

    authenticate {
        #Auth-Type PAP {
        #    pap
        #}

        #Auth-Type CHAP {
        #    chap
        #}
        
        Auth-Type ldap {
            ldap
        }
        
        Auth-Type MS-CHAP {
            mschap
        }
        #digest
        eap
    }
...
 


     On Wednesday, July 22, 2015 12:11 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
   

 
> On Jul 22, 2015, at 11:59 AM, Scott Pickles via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I'm sure you're reading the subject going "ugh not another one".  But there is so much documentation out there and all of it slightly different that I don't know which end is up at this point.  I would like to use FreeRADIUS to authenticate VPN users and wireless, and I'm working on VPN right now.  From what I understand so far, I want to use LDAP to check if the person is in the right group first, and if not reject them.  If they are in the right group then authenticate using ntlm_auth.  I am also understanding that the place to do this is no longer the users/authorize file and that it should be done in the 'default' file using 'unlang'.  Is this correct so far?  If so, can someone give me an example of the 'unlang' portion?
> 


if (LDAP-Group != 'VPNgroup) {
    reject
}

LDAP should be replaced with the instance of the LDAP module you're using.

-Arran

  


More information about the Freeradius-Users mailing list