Trying to Authorize Users based on AD Groups and SSIDs
Alan DeKok
aland at deployingradius.com
Wed Feb 15 18:11:33 CET 2017
On Feb 15, 2017, at 11:47 AM, Misbah Hussaini <misbhauddin at gmail.com> wrote:
> I'm trying to configure PEAP Authentication with AD backend on my FR Server
> which is running version 3.0.4 on Centos 7. So far, I'm able to
> authenticate against AD but group membership checking is not working,
> appreciate if some help can be provided.
Group membership checking *should* be just LDAP group checking. And that's well documented in the wiki.
> I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that
> users in specific groups can access that particular SSID. As mentioned in
> man page of rlm_ldap I have configured group membership check in post-auth
> by adding below configuration in default and inner-tunnel config files but
> my users are getting access-reject messages. If I remove the ldap-group
> check config then all users are able to authenticate and access SSID, off
> course without any control.
You need to check the inner identity against the group, which means checking it in the inner tunnel.
> post-auth {
> if (LDAP-Group == "FR-TEST") {
> noop
> }
> else {
> reject
> }
> }
That's overly complex. Why not just "if group, reject"? Why the extra "noop" ?
In the "inner-tunnel" virtual server, do:
authorize {
...
if (!State) {
if ((Calling-Station-SSID == "SSID02362") && (LDAP-Group != "SSID02362")) {
reject
}
... and the same for other SSIDs and groups
}
}
That's assuming that the SSID is in the Calling-Station-SSID attribute, of course. See the debug log for details.
Alan DeKok.
More information about the Freeradius-Users
mailing list