Hi... i able to get the openldap group authentication + PAP with radius , i used the following settings ,
in users file , DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=openldap,dc=ihk,dc=com" Reply-Message = "You are Accepted" DEFAULT Auth-Type := Reject and in /etc/freeradius/moduls/ldap server = "ldap.ihx.com" identity = "cn=admin,dc=openldap,dc=ihx,dc=com" password = abc basedn = "dc=openldap,dc=ihx,dc=com" filter = "(mail=%{Stripped-User-Name:-%{User-Name}})" access_attr = "mail" authtype = ldap and uncomment the following lines in the /etc/freeradius/modules/ldap groupname_attribute groupmembership_filter groupmembership_attribute hope this helps, Thank You On 26 June 2012 20:44, Julson, Jim <jjul...@marketron.com> wrote: > Forgive my ignorance, but the variable that you are suggesting I use would > be something that I had to create locally on my RADIUS servers right? The > idea is that we use our central point of management which in our case is > Active Directory. We have hundreds of servers ranging from RHEL 3 up to > Ubuntu 12.04 as well as Windows boxes. So managing groups on a "per radius > server" basis isn't really a good choice from a management perspective. > Using the Active Directory domain, we can have our admins move folks in > and out of groups as necessary. > > Did I understand your suggestion right? Or is that variable > "--require-membership-of=" something that can help me achieve what I want > to do? I thought I had to use LDAP for Group Authorization... > > -----Original Message----- > From: > freeradius-users-bounces+jjulson=marketron....@lists.freeradius.org[mailto: > freeradius-users-bounces+jjulson=marketron....@lists.freeradius.org] On > Behalf Of NdK > Sent: Tuesday, June 26, 2012 3:36 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: Can't figure out Group Authentication > > Il 22/06/2012 17:32, Julson, Jim ha scritto: > > > Now, the problem is this. Following Alan DeKok's guide at > http://deployingradius.com/documents/configuration/active_directory.html, > I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal > effort. There were a few things I had to go elsewhere to figure out, but I > managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I > was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This > RADIUS server will be for authenticating users on all of our Cisco devices, > as well as remote access VPN users. So the problem is this. It's > authenticating...a little too well. > > > > Why not add a "default group" var (to be overridden for specific > clients) and pass it to ntlm_auth in "--require-membership-of=" > parameter? That way you can filter who can authenticate from any NAS. > And IIUC huntgroups, you can even define groups of clients... > > Please correct me if I'm wrong. > > BYtE, > Diego. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > The information contained in this e-mail message may be confidential and > protected from disclosure. If you are not the intended recipient, any > dissemination, distribution or copying is strictly prohibited. If you > think that you have received this e-mail message in error, please notify > the sender immediately by replying to this message and then delete it > from your system. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html