FreeRADIUS + Cisco + Active Directory

Rashad Hall trynot24 at gmail.com
Wed Jan 6 20:03:10 CET 2016


We are seeing if we can avoid using LDAP as it requires exposing the
credentials (to myself) used to bind to LDAP. We have audit requirements
and our SysAdmins are the only persons who should know these credentials.
With that being said we are trying to find any work around to avoid LDAP. I
was able to find this page (
http://blog.chapus.net/freeradius-active-directory-group-check/) where the
author states he had a working implementation that does not use LDAP. I
have added the unix module to my authorize section and created if
statements in my post-auth section:

 post-auth {
                exec
                if ((Group == 'DOMAIN\network admins') ) {
                        update reply {
                                Service-Type = NAS-Prompt-User,
                                cisco-avpair :="shell:priv-lvl=15"
                        }
                }

                else {
                        update reply {
                                Service-Type = NAS-Prompt-User,
                                cisco-avpair :="shell:priv-lvl=3"
                        }
                }

                Post-Auth-Type REJECT {
                        attr_filter.access_reject
                }
        }

But I am unsure where this "Group" attribute is coming from in the if
condition (unix module?) and if it is populating correctly as the condition
is not showing true, when it is (assuming the attribute is indeed the one
needed). Below is relevant debug output:

(0)   authenticate {
(0) ntlm_auth: Executing: /usr/local/bin/ntlm_auth --request-nt-key
--domain=DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}
--require-membership-of='DOMAIN\noc_staff':
(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth:    --> --username=rashad.hall
(0) ntlm_auth: EXPAND --password=%{User-Password}
(0) ntlm_auth:    --> --password=password
(0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success
(0x0)'
(0) ntlm_auth: Program executed successfully
(0)     [ntlm_auth] = ok
(0)   } # authenticate = ok
(0) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/KIO
(0)   post-auth {
(0)     [exec] = noop
(0)     if ((Group == 'DOMAIN\network admins') ) {
(0)     if ((Group == 'DOMAIN\network admins') )  -> FALSE
(0)     else {
(0)       update reply {
(0)         Service-Type = NAS-Prompt-User
(0)         cisco-avpair := "shell:priv-lvl=3"
(0)       } # update reply = noop
(0)     } # else = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 19 from 192.168.20.90:1812 to 192.168.20.138:1645
length 0
(0)   Service-Type = NAS-Prompt-User
(0)   Cisco-AVPair := "shell:priv-lvl=3"
(0) Finished request

Any ideas? We will end up using LDAP if needed but if there is a decent
workaround we are not concerned about optimal performance for the moment.
Thanks.

On Wed, Jan 6, 2016 at 4:59 AM, <A.L.M.Buxey at lboro.ac.uk> wrote:

> Hi,
>
> > I was actually surprised how much I could easily port from a 2.x config
> > to 3.0 without much effort, great job! (I know I'm late to game of
> > FreeRADIUS 3.0). I actually like the changes that were made to the ldap
> > module so far.
>
> a lot of things cleaned up...and as for the changes to LDAP - so do we! :-)
> (we've now removed 90% of our usage of PERL and external hooks because of
> things that can be done natively in 3.1.x - looking at that last 10% ! ;-)
> )
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list