Freeradius + LDAP Group check

Wed, 18 Aug 2010 09:36:52 -0700 

Hello!
I'm trying to modify a working configuration to add one more authentication service in FreeRadius. 


I already have one configuration to authenticate users in ldap to use 
wireless network. See the radiusd.conf:



radiusd.conf
========================================
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad

listen {
 ipaddr = *
 port = 0
 type = auth
}

listen {
 ipaddr = *
 port = 0
 type = acct
}

thread pool {
 start_servers = 1
 max_servers = 4
 min_spare_servers = 1
 max_spare_servers = 3
 max_requests_per_server = 0
}

$INCLUDE ${confdir}/clients.conf

modules {
 pap {
    encryption_scheme = clear
 }
 chap {
    authtype = CHAP
 }
 $INCLUDE ${confdir}/eap.conf
 mschap {
    authtype = MS-CHAP
    with_ntdomain_hack = yes
 }
 mschapv2 {
 }
 files {
    usersfile = ${confdir}/users
    compat = no
 }
      ldap ldap_1x {
              server = "127.0.0.1"
              identity = "cn=Manager,dc=company,dc=com,dc=br"
              password = "XXXXXX"
              basedn = "ou=Users,dc=company,dc=com,dc=br"
              start_tls = no
              access_attr = "uid"
              dictionary_mapping = ${raddbdir}/ldap.attrmap
              authtype = ldap
              ldap_connections_number = 5
              timeout = 4
              timelimit = 3
              net_timeout = 1
      }
}
authorize {
 pap
 files
 mschap
 ldap_1x
 eap
}
authenticate {
      Auth-Type PAP {
              pap
      }
      Auth-Type MS-CHAP {
              mschap
      }
      Auth-Type PPP {
              ldap_1x
      }

      eap
}
log {
      destination = files
      file = /var/log/freeradius/radius.log
      syslog_facility = daemon
      stripped_names = no
      auth = yes
      auth_badpass = no
      auth_goodpass = no
}
========================================

and, the users file:

users
========================================
DEFAULT Auth-Type := MS-CHAP

DEFAULT Hint == "CSLIP"
      Framed-Protocol = SLIP,
      Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
      Framed-Protocol = SLIP
========================================

This is enough to provide access to users in wireless network.

I need to add a Radius Auth in Ldap to Switches devices with Group Check.
The users are in cn=TacAdm,ou=Groups,dc=company,dc=com,dc=br

I already tryed to add a new module called

ldap ldap_switch {
...
}


and many instances like groupmembership_filter, groupname_attribute, 
filter, base_filter, access_attr, groupmembership_attribute, but nothing 
do the group check in ldap!



What do I need to this checking group works and maintain the wireless 
configuration working well?


Thanks!
Douglas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to