Active Directory authenticated VPN
Alan DeKok
aland at deployingradius.com
Thu Apr 22 15:36:50 CEST 2021
On Apr 22, 2021, at 9:07 AM, Pisch Tamás <pischta at gmail.com> wrote:
> I would like to set up VPN on a Samba DC (Debian Bullseye). I could set it
> up with ntlm_auth, but I read that ntlm_auth may serve about 30 request per
> second maximum, and uses smbv1.
> I would like to filter users by group or msNPAllowDialin AD property.
> I can use:
>
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "%{mschap:NT-Domain}"
>
> in mschap, but how I can filter users?
Use LDAP group checking. The "winbind" feature just does authentication. It doesn't do anything else.
See the LDAP-Group documentation for how to use LDAP groups. In recent versions of the server, there are even pointers to this in mods-available/ldap
Alan DeKok.
More information about the Freeradius-Users
mailing list