Freeradius with AD

Jose jose3n at yahoo.com
Thu Apr 28 21:16:42 CEST 2016


We currently have an OpenLDAP server where we have users in various OUs.We also have Active Directory with our students and staff in different OUs.
How do we configure radius to authenticate with a particular OU instead of everything?For example,  only have it authenticate with OU=students.
Thanks.

      From: Mathieu Simon (Lists) <matsimon.lists at simweb.ch>
 To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
 Sent: Thursday, April 28, 2016 2:56 PM
 Subject: Re: Freeradius with AD
   
Hi Jose

Am 28.04.2016 um 20:28 schrieb Jose via Freeradius-Users:
[...]
> My boss wants me to tweak the system a bit to separate staff from
students.  We have an OU for staff and another for students.
> The problem I have is I have no idea where in radius do I configure this option.  
> We want to be able to tell radius that if a student logs into for example to the staff SSID they are rejected but if they log into their student SSID, access is granted.  

> How do I make that happen?  Thank very much for any help you can provide.
So what you (likely) do is authentication (are the credentials correct?)
but no authorization (is the person allowed?).

I guess that you'll want to look into LDAP authorization.
For that you'll have to setup and enable the LDAP module to talk to your
AD domain controllers.

You can configure the LDAP module to look up users and in the
post-auhorize section of the virtual server where you can check if the
user is i.e. part of a certain group. (what I do)

If you have separate OUs you may read the DistinguishedName attribute
and do some matching based on that.

Concerning the 2 SSIDs: Depending on your wireless hardware you may be
able to do radius-based VLAN assignment where you can (after checking
the authorization) add to the reply to the AP or Wireless controller the
VLAN ID. The AP or controller will then put the respective traffic in
the respective VLAN.

This way you can have 1 SSID for all users but they will be put in their
respective VLAN which keeps staff and students separate from each other.
>From a support perspective it's useful since you have to tell users to
just connect to this one SSID (they don't have to think about who they
are and then select the right SSID).

It's only pointers here but if you can share your current configuration
(i.e. if you followed the AD documentation on the Wiki) more precise
answers may be possible.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


More information about the Freeradius-Users mailing list