Freeradius - how to reply "memberof" active directory information for Strongswan
Sébastien Genesta
genesta.sebastien at gmail.com
Wed Sep 25 15:20:20 CEST 2019
Hi,
Thanks for your answer. I think the issue is caused by the fact that I was
using mschap to check AD for membership.
I will try to configure ldap module and give you a feedback with debug
information if it still doesn't work.
Seb.
Le mar. 24 sept. 2019 à 20:45, Alan DeKok <aland at deployingradius.com> a
écrit :
> On Sep 24, 2019, at 2:34 PM, Sébastien Genesta <
> genesta.sebastien at gmail.com> wrote:
> > I'm using Freeradius for the Active Directory authentication of my
> > Strongswan clients.
>
> That should be fine.
>
> > My goal is to declare 2 vpn connections with different virtual IP leases,
> > allowing me to separate traffic (as an example, one vpn connection for
> > sales and the other for technicians).
> >
> > To do it, I'm trying to use Group selection option (rightgroups) on
> > Strongswan.
> >
> > According to Strongswan documentation (
> > https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius) I have
> to
> > use class attribute on my freeradius server to return the group
> membership.
> >
> > The issue is that I don't know how.
> >
> > I'm using mschap for authentication to Active Directory.
>
> You can't get group information using mschap. You MUST configure the
> ldap module to check AD for group membership.
>
> > I've tried to follow this post but it didn't work
> >
> http://freeradius.1045715.n5.nabble.com/Return-User-Groups-in-Class-field-td5752289.html
>
> Define "didn't work". What happened?
>
> > More precisaly below part (replacing ldap module by mschap module and
> also
> > changing path because my freeradius version is 3.0):
> > ...
> > # /etc/raddb/sites-enabled/default
> > post-auth {
> > ...
> > foreach &reply:memberOf {
> > update reply {
> > Class += "%{Foreach-Variable-0}"
> > }
> > }
> > ...
> > }
>
> And... what showed up in the debug output?
>
> > Is there any official guide explaning how to reply memberOf attribute?
>
> No.
>
> > How can I do it?
>
> The above method *should* work, provided you read the debug output to
> see what's going on.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list