I just upgraded to FreeRadius 2.1.1, as per some off-list advice, but
still am having issues with this... I've Googled and read docs to no
avail, probably as I don't know much of anything about Radius at all -
and just need this (seemingly relatively simple) thing.
I'm running FreeRADIUS 2.1.1 (SuSE package) and OpenLDAP 2.3.19. I
have an access point that will do captive portal, but only via RADIUS,
not via LDAP natively. I already have an LDAP server running, so I just
added a new groupOfNames called "WirelessUsers".
Basically, *all* I want RADIUS to do is check the username and password,
and assuming they are correct, either allow or deny based on whether the
user is a member of "WirelessUsers". According to radtest, I have it
working with LDAP, but it allows everyone with a valid username and
password access, regardless of the WirelessUsers group - and I'm not
seeing anything related to that group in the LDAP logs or anything
related to groups at all in `radiusd -f -X`.
I can't seem to find anything concrete online for freeradius1 relating
to groupOfNames, so I've just been trying random things that I found
online (for raddb/users) hoping one would work.
RELEVANT CONFIGS (only relevant portions, comments removed)
raddb/sites-enabled/default:
authorize {
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
raddb/modules/ldap:
ldap {
server = "127.0.0.1"
basedn = "dc=example,dc=com"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter =
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
start_tls = no
#access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = "cn"
#groupmembership_filter =
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-\
UserDn})))
groupmembership_filter =
(|(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{\
check:LDAP-UserDn})))
groupmembership_attribute = WirelessUsers
#groupmembership_attribute = "memberof"
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
raddb/users:
#DEFAULT Auth-Type = LDAP
# Fall-Through = yes
#
#DEFAULT Ldap-Group != "wireless", Auth-Type := Reject
#
#
#
#
#
#DEFAULT Ldap-Group !=
"cn=WirelessUsers,ou=groups,dc=midlandparkambulance,dc=com", Auth-Type
:= Reject
#
#DEFAULT Auth-Type := LDAP
#
#
#
DEFAULT Ldap-Group == WirelessUsers
DEFAULT Auth-Type := Reject
(For users, I've tried each of the pairs of commented-out lines, as per
different things I found online.)
I'm sure this is horribly simple, but I just can't seem to figure it out
from the docs or from extensive googling.
Thanks for any help,
Jason Antman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
