Il 26/06/2012 17:14, Julson, Jim ha scritto: > Forgive my ignorance, but the variable that you are suggesting I use > would be something that I had to create locally on my RADIUS servers > right? The idea is that we use our central point of management which > in our case is Active Directory. You have to define a local variable to hold the group name (or the group SID, but while making auth faster it makes management harder). Then assign to it a value based on where you receive your request from (a switch, a "public" server, a "private" server, a VPN endpoint...) and pass it to ntlm_auth in -require-membership-of option. If the user trying to access is not in that group, he's denied access (ntlm_auth checks group membership in AD).
> We have hundreds of servers > ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes. > So managing groups on a "per radius server" basis isn't really a > good choice from a management perspective. Using the Active > Directory domain, we can have our admins move folks in and out > of groups as necessary. That's exactly what AD is for. But I usually join the PCs to it so I can have better integration (one for all: AD groups gets mapped to Unix groups). > Did I understand your suggestion right? I don't think so. > Or is that variable "--require-membership-of=" That's not a variable, that's a parameter for ntlm_auth. > something that can help me achieve what I want to do? It restrict access to members of that group. IIUC that's what you need. > I thought I had to use LDAP for Group Authorization... You don't need to. At least not for such a basic thing. To be more clear (not actually tested): 1) add "ATTRIBUTE Require-Group 3000 string" to dictionary 2) add "DEFAULT Require-Group := 'default-ad-group'" to users 3) change ntlm_auth line in modules/mschap to include "--require-membership-of=%{Require-Group}" Now restart FR and it should accept only users in 'default-ad-group'. If it's OK. now you have to find "some way" to differentiate the NAS (or NAS group) from where the user is requesting access and use unlang to change Require-Group value as needed. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html