FreeRadius 3.0.11 and Winbind

[Matthew Newton]

On Fri, Nov 11, 2016 at 01:15:33PM +0100, Herwin Weststrate wrote:
> On 11-11-16 13:07, Albert K wrote:
> > I am doing a setup has the following criteria. I have setup as per
> > instruction from freeradius wiki but stuck with the Dynamic VLAN part.  May
> > I know where can I get further information on Authorization for VLAN
> > setup?  Thank you for helping.
> > 
> > https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
> 
> That page doesn't (and shouldn't) have a Dynamic VLAN part.
> 
> Release 3.0.x can only use winbind to do the authentication: pass a
> username and a password-hash-thingy to Active Directory and ask if this
> combination is correct.

3.0.x can do MSCHAPv2 direct to winbindd with the rlm_mschap
module.

3.1.x/4.0.x (dev versions) can do PAP direct to winbindd with the
rlm_winbind module.

> Release 3.1.x/4.0.x add possibilities to find the groups of the user (I
> believe, it might be possible this was only proposed but not yet added).

rlm_winbind in 3.1.x can search groups. Though from a discussion
on the Samba mailing list the other day it turns out this isn't as
reliable and/or simple as expected, so the functionality might
have to change or go away. To be safe only use it after a
successful authentication.

> You can still use the LDAP-protocol to search for the groups of a user
> to base the VLAN on that, but that is not related to the winbind
> authentication process.

That is still the recommended way, and the only way in 3.0.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>