RE: Active Directory with NTLM_AUTH
> What is added to the user file for this? Is it similar to below: Do you need those reply attributes returned? If not, you may not need anything in the users file. I don't have anything in mine, but I'm not using radius for dial-up/PPP. > Can I simply use the: --require-membership-of='DOMAIN\Group' > option of ntlm_auth to accomplish the the group check? I've used this option manually with clear-text passwords, but I haven't tried it from mschap in FR. Does it work for you when you run ntlm_auth from a shell prompt? If you can't get it to work from mschap, you can have LDAP get the user's group memberships by adding a checkItem to ldap.attrmap. In our environment, the groups to which a user is a member are stored in the memberOf LDAP attribute. So, I have the following in my ldap.attrmap file: checkItem Ldap-Group memberOf Then, ensure ldap is in your authorize section. This checkItem will cause ldap to create one Ldap-Group check attribute for each group to which the user is a member. In the past, I have successfully used checkval to do the comparison. The checkval module compares a request attribute to a check attribute. If your group name isn't in a request attribute, you can use attr_rewrite to add a request attribute with the group name you desire to test against. You would then put checkval after the attr_rewrite and ldap modules in authorize. I'm currently using perl to do authorization because of the flexibility it affords. (In my case, depending upon the Huntgroup-Name, the group membership requirement varies. Also, for some Huntgroups, I allow several groups and I return a custom reply attribute that specifies the user's privilege level based on which group they were a member.) If you use perl, you wouldn't need attr_rewrite or checkval. I haven't been using FR for very long so this may not be the best approach. However, I'm sure others will chime in if there are better alternatives. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory with NTLM_AUTH
You can use LDAP in the authorize section to accomplish this. Is the group name you are checking against static? Is it sometimes/always/never the primary group for the user? Group name is static, never the primary group for the user. What is added to the user file for this? Is it similar to below: DEFAULT Ldap-Group == "GroupName" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, etc.. Can I simply use the: --require-membership-of='DOMAIN\Group' option of ntlm_auth to accomplish the the group check? > I have had LDAP only working with PAP, but am stuck with getting it to > work with MS-CHAP. You can't use LDAP with MS-CHAP. Use the mschap module to do the authentication. Yup I realised this which is why I'm persuring the mschap module with ntlm_auth. Look at the comments in radiusd.conf to see how to use ntlm_auth via the mschap module of FR. I'm not finding the comments very useful in terms of what I need to do next after setting the options, which why I posted here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory with NTLM_AUTH
> I also need to check that the user is a member of a particular group > in Active Directory before Access-Accept is sent - do I fall back to > LDAP for this? You can use LDAP in the authorize section to accomplish this. Is the group name you are checking against static? Is it sometimes/always/never the primary group for the user? > I have had LDAP only working with PAP, but am stuck with getting it to > work with MS-CHAP. You can't use LDAP with MS-CHAP. Use the mschap module to do the authentication. Look at the comments in radiusd.conf to see how to use ntlm_auth via the mschap module of FR. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory with NTLM_AUTH
Okay I've been following the Wiki for Active Directory Integration but now I'm stuck. I'm successful at getting the machine to join the AD with Samba3, I have NTLM_AUTH working from the command line to challenge for the user and return successful. Next part is getting FreeRadius to use this information. The end result is that I am using a Dial Up adapter within Windows to talk to radius, so I want the default Windows settings of MSCHAP to work first (means I have to customise the client end less). What (if anything) do I need to do to the users file? I also need to check that the user is a member of a particular group in Active Directory before Access-Accept is sent - do I fall back to LDAP for this? I have had LDAP only working with PAP, but am stuck with getting it to work with MS-CHAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
