AD group and Reply Attribute

Tue Feb 22 12:02:02 UTC 2022

ntlm_auth not used.

You can just configure ldap module (mods-avalible/ldap):

	server = 'YOU_IP'
	port = 389 
	identity = 'CN=std,OU=IT,OU=FDM,DC=test,DC=com'
	password = 1
	base_dn = 'dc=test,dc=com'

# and change user,group filter for Active Directory:

user {
	filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
}

group {

	filter = '(objectClass=group)'
}

Next modify (sites-avalible/default):

# in authorize section add :

authorize {
         -ldap
         if ((ok || updated) && User-Password && !control:Auth-Type) {
             update {
                 control:Auth-Type := ldap
             }
         }

}

# in authenticate section add :

authenticate {
	Auth-Type LDAP {
		ldap
	}
}

As far as I remember, freeradius recommended use policy in post_auth section to assign vlan.

# my policy vlan assign (policy.d/vlan_policy)

vlan_assignment {
    if (&control:Auth-Type == ldap) {
	if (LDAP-Group == "CN=SOMEGROUP,OU=OU=Groups,OU=TEST,DC=company,DC=com") {
	    update reply {
	    Tunnel-Type := VLAN
	    Tunnel-Medium-Type := IEEE-802
	    Tunnel-Private-Group-ID := 21
	    }
	}
	else {
	    reject
	}
    }
}

You can use radtest (linux util) for debug your radius server

> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-
> bounces+moskalevas=energomera.ru at lists.freeradius.org] On Behalf Of
> ReZa Esfahani
> Sent: Tuesday, February 22, 2022 2:03 PM
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: AD group and Reply Attribute
> 
> i use samba to integrate my AD with Freeradius and i think it use ntlm-
> auth.but i don't know that is it necessary to use ldap module or not  for
> sending attribute to nas for different group or not ?
> 
> On Tue, Feb 22, 2022 at 1:05 PM Москалев Артем Сергеевич
> <MoskalevAS at energomera.ru> wrote:
> >
> > Hi, ldap connect success? Need debug output
> > > -----Original Message-----
> > > From: Freeradius-Users [mailto:freeradius-users-
> > > bounces+moskalevas=energomera.ru at lists.freeradius.org] On Behalf Of
> > > ReZa Esfahani
> > > Sent: Tuesday, February 22, 2022 12:24 PM
> > > To: Free Radius Mailing list <freeradius-users at lists.freeradius.org>
> > > Subject: AD group and Reply Attribute
> > >
> > > Hello,
> > > I have Microsoft Active Directory as a users database in my company.
> > > i have
> > > 10 Different Group in my AD and i want to send  specific attributes
> > > for each group to NAS, I also integrate my AD with freeradius, but i
> > > don't know how to send these attribute to nas and i dont know where i
> made mistake?
> > >
> > > users file
> > > .......................................
> > > DEFAULT Ldap-Group ==
> "CN=student,OU=IT,OU=FDM,DC=test,DC=com",
> > >   Service-Type = Framed-User,
> > >   Framed-Protocol = PPP,
> > >   Tunnel-Medium-Type = 802 (includes all 802 media plus Ethernet
> > > "canonical format"),
> > >   Tunnel-Private-Group-ID = 15
> > >   Tunnel-Type = Virtual Lans (VLAN)
> > > ...........................................................
> > > mods-enabled > ldap module
> > > ..........................................................
> > >
> > > ldap {
> > >
> > >     server = 'active.test.com'
> > >     identity = 'CN=std,OU=IT,OU=FDM,DC=test,DC=com'
> > >     password = 1
> > >     base_dn = 'dc=test,dc=com'
> > > }
> > > ...........................................................................................
> > > site-enabled > default
> > > .........................................................
> > > in authorize section  uncomment ldap
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html