AD Group Check - multi SSID - Pass "Require-membership-of" to NTLM_AUTH as variable.

Pierre de Jong pierredejong at gmail.com
Tue Jan 31 19:40:13 CET 2017


Hi,

Could someone give me some "ways to go" with LDAP module? Online tutos ?
that goes from A to Z ?

What about "FreeRadius" flow.... difference between default, inner-tunnel?
Authentication and authorization?

:shy:

Thanks in advance

Have a nice day

2017-01-30 10:39 GMT+01:00 <A.L.M.Buxey at lboro.ac.uk>:

> Hi,
>
> > So, for exemple, SSID-Corp-Employee is only accessible to a certain
> users,
> > member of ADgroupA , and SSID-Corp-Direction, only accessible to users,
> > member of ADgroupB
> >
> > When only authenticating with 1 single AD group, there is no problem,
> the :
> >
> > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > > --require-membership-of=GALAXY\rad01 --username=%{%{Stripped-User-
> Name}:-%{%{User-Name}:-None}}
> > > --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV}
> > > --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re
> > > sponse}:-00}"
>
> dont do that. leave authentication alone and use authorization
>
>
> so, use  simple LDAP check to verify if someone can connect - this scales
> because you match
> the SSID to the LDAP group..so , configure the LDAP module so it can query
> your LDAP (which is AD)
> for the users group and then
>
> if ( ldap_stuff_here != &Called-Station-SSID) {
>         reject
>         }
>
> LDAP stuff can either be an LDAP-Group call or a %{ldap:} call. basically,
> get value from LDAP
> and check against that supplied in the RADIUS request
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list