You can use LDAP in the authorize section to accomplish this. Is the
group name you are checking against static? Is it
sometimes/always/never the primary group for the user?
Group name is static, never the primary group for the user. What is
added to the user file for this? Is it similar to below:
DEFAULT Ldap-Group == "GroupName"
Service-Type = Framed,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
etc..
Can I simply use the:
--require-membership-of='DOMAIN\Group'
option of ntlm_auth to accomplish the the group check?
> I have had LDAP only working with PAP, but am stuck with getting it to
> work with MS-CHAP.
You can't use LDAP with MS-CHAP. Use the mschap module to do the
authentication.
Yup I realised this which is why I'm persuring the mschap module with ntlm_auth.
Look at the comments in radiusd.conf to see how to use
ntlm_auth via the mschap module of FR.
I'm not finding the comments very useful in terms of what I need to do
next after setting the options, which why I posted here.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html