Freeradius 3.x with LDAP authentication

Adam Cage adamcage27 at gmail.com
Mon Aug 14 22:15:43 CEST 2017


Dear Alan, we just have a Freeradius server deployed according to the howto
you point. It works OK now.

But we have to use LDAP authentication against an AD server, because in the
near future we have to use the "ldap-group" attribute in order to group
wifi users by SSID, and let them use different wifi networks.

So if I use the server I have developed according to your guide with NTLM
and MSCHAP2, I won't can use the "lda-group" attribute. So I think we have
to use LDAP authentication and authorization mandatory.

Please confirm to me if I am ok or not, because maybe using your
recommended configuration I can add the ldap-group attribute in order to
select group of users by SSID.

Thanks a lot again.

ADAM

2017-08-14 17:01 GMT-03:00 Alan DeKok <aland at deployingradius.com>:

> On Aug 14, 2017, at 9:26 PM, Adam Cage <adamcage27 at gmail.com> wrote:
> >
> > Hi people, we wanna authenticate WiFi users against a Freeradius 3.x
> > server, these users are defined in a Windows Active Directory remote
> > server.
>
>   Follow the guide here:  http://deployingradius.com/
> documents/configuration/active_directory.html
>
> > We have the base_dn search defined, and there they are all the valid
> users
> > who can use the WiFi service.
> >
> > We wanna use LDAP to initially authenticate and in the future authorize
> the
> > accesses.
>
>    For PEAP, no, that doesn't work.  AD isn't really an LDAP server.
>
> > Please can anybody point to me a detailed howto, because we are confused
> if
> > we have to use LDAP with MSCHAP, PAP, EAP or whatever???
>
>   Follow the guide above.  It will work.
>
> > Aand also we are confused about the AD object we have to use in the
> filter
> > string: uid, samaccountname, mail...What does this selection
> > depend on ???
>
>   It depends on what you want to do.  Where are the user accounts in AD?
>
> > And the last question: I'm using a Debian server with the freeradius and
> > freeradius-ldap distribution packages, is it a good idea or
> > maybe it's better to use the tar.gz version???
>
>   Use 3.0.15.  The debian versions are typically years out of date.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list