RE: Active Directory with NTLM_AUTH

[Garber, Neal]

> What is added to the user file for this? Is it similar to below:

Do you need those reply attributes returned?  If not, you may not need
anything in the users file.  I don't have anything in mine, but I'm not
using radius for dial-up/PPP.

> Can I simply use the: --require-membership-of='DOMAIN\Group'
> option of ntlm_auth to accomplish the the group check?

I've used this option manually with clear-text passwords, but I haven't
tried it from mschap in FR.  Does it work for you when you run ntlm_auth
from a shell prompt?  If you can't get it to work from mschap, you can
have LDAP get the user's group memberships by adding a checkItem to
ldap.attrmap.  In our environment, the groups to which a user is a
member are stored in the memberOf LDAP attribute.  So, I have the
following in my ldap.attrmap file:

checkItem Ldap-Group  memberOf

Then, ensure ldap is in your authorize section.  This checkItem will
cause ldap to create one Ldap-Group check attribute for each group to
which the user is a member.  In the past, I have successfully used
checkval to do the comparison.  The checkval module compares a request
attribute to a check attribute.  If your group name isn't in a request
attribute, you can use attr_rewrite to add a request attribute with the
group name you desire to test against.  You would then put checkval
after the attr_rewrite and ldap modules in authorize.  

I'm currently using perl to do authorization because of the flexibility
it affords.  (In my case, depending upon the Huntgroup-Name, the group
membership requirement varies.  Also, for some Huntgroups, I allow
several groups and I return a custom reply attribute that specifies the
user's privilege level based on which group they were a member.)  If you
use perl, you wouldn't need attr_rewrite or checkval.

I haven't been using FR for very long so this may not be the best
approach.  However, I'm sure others will chime in if there are better
alternatives.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Active Directory with NTLM_AUTH

[duckeo]

You can use LDAP in the authorize section to accomplish this.  Is the
group name you are checking against static?  Is it
sometimes/always/never the primary group for the user?


Group name is static, never the primary group for the user. What is
added to the user file for this? Is it similar to below:
DEFAULT Ldap-Group == "GroupName"
   Service-Type = Framed,
   Framed-Protocol = PPP,
   Framed-IP-Address = 255.255.255.254,
   Framed-IP-Netmask = 255.255.255.255,
etc..

Can I simply use the:
--require-membership-of='DOMAIN\Group'
option of ntlm_auth to accomplish the the group check?


> I have had LDAP only working with PAP, but am stuck with getting it to
> work with MS-CHAP.

You can't use LDAP with MS-CHAP.  Use the mschap module to do the
authentication.

Yup I realised this which is why I'm persuring the mschap module with ntlm_auth.


Look at the comments in radiusd.conf to see how to use
ntlm_auth via the mschap module of FR.


I'm not finding the comments very useful in terms of what I need to do
next after setting the options, which why I posted here.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Active Directory with NTLM_AUTH

[Garber, Neal]

> I also need to check that the user is a member of a particular group
> in Active Directory before Access-Accept is sent - do I fall back to
> LDAP for this?

You can use LDAP in the authorize section to accomplish this.  Is the
group name you are checking against static?  Is it
sometimes/always/never the primary group for the user?

> I have had LDAP only working with PAP, but am stuck with getting it to
> work with MS-CHAP.

You can't use LDAP with MS-CHAP.  Use the mschap module to do the
authentication.  Look at the comments in radiusd.conf to see how to use
ntlm_auth via the mschap module of FR.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html