AD Group Check - multi SSID - Pass "Require-membership-of" to NTLM_AUTH as variable.

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Jan 30 10:39:17 CET 2017


Hi,

> So, for exemple, SSID-Corp-Employee is only accessible to a certain users,
> member of ADgroupA , and SSID-Corp-Direction, only accessible to users,
> member of ADgroupB
> 
> When only authenticating with 1 single AD group, there is no problem, the :
> 
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --require-membership-of=GALAXY\rad01 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV}
> > --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re
> > sponse}:-00}"

dont do that. leave authentication alone and use authorization


so, use  simple LDAP check to verify if someone can connect - this scales because you match
the SSID to the LDAP group..so , configure the LDAP module so it can query your LDAP (which is AD)
for the users group and then

if ( ldap_stuff_here != &Called-Station-SSID) {
	reject
	}

LDAP stuff can either be an LDAP-Group call or a %{ldap:} call. basically, get value from LDAP
and check against that supplied in the RADIUS request

alan


More information about the Freeradius-Users mailing list