AD Group Check - multi SSID - Pass "Require-membership-of" to NTLM_AUTH as variable.
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Jan 30 10:39:17 CET 2017
Hi,
> So, for exemple, SSID-Corp-Employee is only accessible to a certain users,
> member of ADgroupA , and SSID-Corp-Direction, only accessible to users,
> member of ADgroupB
>
> When only authenticating with 1 single AD group, there is no problem, the :
>
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --require-membership-of=GALAXY\rad01 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV}
> > --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re
> > sponse}:-00}"
dont do that. leave authentication alone and use authorization
so, use simple LDAP check to verify if someone can connect - this scales because you match
the SSID to the LDAP group..so , configure the LDAP module so it can query your LDAP (which is AD)
for the users group and then
if ( ldap_stuff_here != &Called-Station-SSID) {
reject
}
LDAP stuff can either be an LDAP-Group call or a %{ldap:} call. basically, get value from LDAP
and check against that supplied in the RADIUS request
alan
More information about the Freeradius-Users
mailing list