OK, I achieved my goal to get freeradius authenticate via mschap
challenge-response and authorize via LDAP search.
I's working, though, I'm not sure, that I'm doing it right. This "solution"
works only with one group (my example, VPNusers). I think it is not expandable
to the scenario like:
"authorize user when it belongs to the group VPNusers
autohorize user when it comes form IP of some WiFi access point disregarding
any groups"
So, I'm looking forward to any suggestions how to make this configuration
better and expandable.
But this far, when you have only one group and no IF, AND, OR logic is
neccessary, following will work:
MSCHAP
Follow this great tutorial
http://deployingradius.com/documents/configuration/active_directory.html
If last part gives you an error (like it did to me) check if freeradius user
have rights to talk with winbind.
ldap module conf
ldap {
<-->server = "local.track.ee"
<-->identity =
"CN=ldapbind,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee"
<-->password = "XXX"
#Note to Tobias Haschmer - ldapbind user needs to be specifically configured in
AD!
# follow this instruction http://www.advproxy.net/ldapads.html
<-->basedn = "DC=local,DC=track,DC=ee"
<-->filter =
"(&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=VPNUsers,OU=SBSUsers,OU=Users,OU=Navirec,DC=local,DC=track,DC=ee))"
<-->#base_filter = "(objectclass=radiusprofile)"
Suggestions: test your queries and ldap stuff on some LDAP client. Like
JExplorer (its free)
#magic parameters for AD LDAP to work
<--> chase_referrals = yes
<--> rebind = yes
inner-tunnel and default, authorize stanza
>ldap {
<-->notfound = reject
<--> }
It's not very flexible configuration, list user Matthew Newton had some ideas,
how to make it better.
A.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html