Freeradius - how to reply "memberof" active directory information for Strongswan
Alan DeKok
aland at deployingradius.com
Tue Sep 24 20:45:22 CEST 2019
On Sep 24, 2019, at 2:34 PM, Sébastien Genesta <genesta.sebastien at gmail.com> wrote:
> I'm using Freeradius for the Active Directory authentication of my
> Strongswan clients.
That should be fine.
> My goal is to declare 2 vpn connections with different virtual IP leases,
> allowing me to separate traffic (as an example, one vpn connection for
> sales and the other for technicians).
>
> To do it, I'm trying to use Group selection option (rightgroups) on
> Strongswan.
>
> According to Strongswan documentation (
> https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) I have to
> use class attribute on my freeradius server to return the group membership.
>
> The issue is that I don't know how.
>
> I'm using mschap for authentication to Active Directory.
You can't get group information using mschap. You MUST configure the ldap module to check AD for group membership.
> I've tried to follow this post but it didn't work
> http://freeradius.1045715.n5.nabble.com/Return-User-Groups-in-Class-field-td5752289.html
Define "didn't work". What happened?
> More precisaly below part (replacing ldap module by mschap module and also
> changing path because my freeradius version is 3.0):
> ...
> # /etc/raddb/sites-enabled/default
> post-auth {
> ...
> foreach &reply:memberOf {
> update reply {
> Class += "%{Foreach-Variable-0}"
> }
> }
> ...
> }
And... what showed up in the debug output?
> Is there any official guide explaning how to reply memberOf attribute?
No.
> How can I do it?
The above method *should* work, provided you read the debug output to see what's going on.
Alan DeKok.
More information about the Freeradius-Users
mailing list