FreeRADIUS and Active Directory Integration
Song Zou
a13519 at me.com
Mon Nov 19 13:22:08 CET 2018
please don’t send email
On Jul 23, 2015, at 02:12, Scott Pickles via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Is this correct?
> [/etc/raddb/sites-available/default]
> ...
> authorize {
> preprocess
> rewrite_calling_station_id
>
> eap {
> ok = return
> updated = return
> }
> files
> ldap
> if (LDAP-Group != 'VPN-Internal') {
> reject
> }
> ntlm_auth
> }
>
> authenticate {
> #Auth-Type PAP {
> # pap
> #}
>
> #Auth-Type CHAP {
> # chap
> #}
>
> Auth-Type ldap {
> ldap
> }
>
> Auth-Type MS-CHAP {
> mschap
> }
> #digest
> eap
> }
> ...
>
>
>
> On Wednesday, July 22, 2015 12:11 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>
> On Jul 22, 2015, at 11:59 AM, Scott Pickles via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I'm sure you're reading the subject going "ugh not another one". But there is so much documentation out there and all of it slightly different that I don't know which end is up at this point. I would like to use FreeRADIUS to authenticate VPN users and wireless, and I'm working on VPN right now. From what I understand so far, I want to use LDAP to check if the person is in the right group first, and if not reject them. If they are in the right group then authenticate using ntlm_auth. I am also understanding that the place to do this is no longer the users/authorize file and that it should be done in the 'default' file using 'unlang'. Is this correct so far? If so, can someone give me an example of the 'unlang' portion?
>
>
>
> if (LDAP-Group != 'VPNgroup) {
> reject
> }
>
> LDAP should be replaced with the instance of the LDAP module you're using.
>
> -Arran
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list