Checking SSID via A/D Group
We use Cisco 1232 AP’s with EAP-PEAP-MSCHAPv2 to a Cisco ACS (RADIUS server). We would like to restrict access to SSIDs based upon Windows group membership. The ACS server is not capable of doing this. I currently have FreeRadius (1.1.2) installed under FreeBSD with OpenSSL 0.9.7d-p1 17 and Samba 3.0.20b. If the server is joined to an Active Directory domain, would it be possible to not just authenticate user/pwd through Samba, but also to check for Windows group membership based upon the SSID to which the user is trying to authenticate? If this is possible, can you suggest the general approach to implementing this? For instance, if we have SSID’s: ssid1, ssid2 and ssid3 and we want to map ssid1 -> Windows group “ssid1 users” ssid2 -> Windows group “ssid2 users” ssid3 -> Windows group “ssid3 users” such that if the user is a member of the group and their credentials are valid, FreeRadius would return Access-Accept. If they aren’t a member of the group or their credentials are invalid, it would return Access-Reject. I’ve seen some threads talking about putting a SSID attribute in LDAP. But, user’s could be authorized for more than one SSID so it doesn’t seem like that approach would work. Also, administratively, it’s easier to identify/manage who is authorized for which SSIDs if it is done via group membership as opposed to a user attribute. Also, does FreeRadius support changing of passwords via MSCHAP to Active Directory when the password is expired? Thank you in advance for any help/guidance you can provide. Neal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking SSID via A/D Group
"Garber, Neal" <[EMAIL PROTECTED]> wrote: > FreeBSD with OpenSSL 0.9.7d-p1 17 and Samba 3.0.20b. If the server is > joined to an > Active Directory domain, would it be possible to not just authenticate > user/pwd through > Samba, but also to check for Windows group membership based upon the > SSID Yes. For the purposes of group checking, AD is just an LDAP directory. You should be able to edit the LDAP group membership checks to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Checking SSID via A/D Group
>> FreeBSD with OpenSSL 0.9.7d-p1 17 and Samba 3.0.20b. If the server is >> joined to an >> Active Directory domain, would it be possible to not just authenticate >> user/pwd through >> Samba, but also to check for Windows group membership based upon the >> SSID > Yes. For the purposes of group checking, AD is just an LDAP >directory. You should be able to edit the LDAP group membership >checks to do this. Thank you for your quick response Alan. I'm currently using 802.1x with eap-peap and mschapv2 to a Cisco ACS to authenticate WinXP 802.11 users. Would I use eap-peap/mschapv2 and LDAP within FR to do the authentication and will this also support changing AD passwords when they are expired? Also, I've done some google searches and I read the rlm_ldap doc. I found examples on how to do checking for a static LDAP group, but can't find any examples on how to check for a dynamic group name. Can you give me an example of checking AD group membership, using rlm_ldap, where the group varies based upon the NAS group and literal string + attribute value? For example: for NAS group "mobile", user must be a member of "Mobile Users" group; for NAS group "APs" and cisco-av-pair request attr. == "ssid=myssid", the user would need to be a member of "Wireless myssid Users" group in AD (if the attribute isn't present, then reject). If this is possible, can you give me an example of how this would be done? Thanks again for your assistance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
