LDAP-Groups

[Jose]

I forgot to add the link I used to configure radius to use AD.  

I followed the instructions on this link - http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source.  That worked.  Thank you for your help.


      From: "A.L.M.Buxey at lboro.ac.uk" <A.L.M.Buxey at lboro.ac.uk>
 To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
 Sent: Thursday, April 28, 2016 2:40 PM
 Subject: Re: LDAP-Groups
   
Hi,

> The following works but I do see a lot more ldap searches in debug (below) than I expected.

yes - unless you only call LDAP module specifically where needed
then it will be called frequently. you are using it auth authorisation/authentication
too it seems - so yes, you'll need it.

at this point, i advise you to get off 2.x release ASAP and use 3.x instead (ideally 3.1.x) because
then you can use the powerful cache module to cache things from LDAP in various other parts
of the server and theres also a connection pool to enhance connection resiliency/usage.

> Then in post auth I assign VLAN attr. In both inner and default if I want both EAP and radtest to work.

do you NEED radtest to work - given that its PAP authentication....
I ask because if you are calling it in the outer default, then
you'll not only be calling it twice when the inner is used
(inner completes with its post-auth, then outer completes with
its post-auth - look at the RADIUS flow in debug output)
but also, the outerid is 'junk' when inner-tunnel/EAP is used...
so you could have for example

user1 at realm as outerid
user2 at realm as innerid.

innerID is real user - they auth...and get policy for them
outerid sees user2 and thus assigns policy that user2 should get!


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html