hi
my situation:
ive Windows 2003 Server Domaincontrollers. i use freeradius who
authenticates the clients in the domain with ntlm_auth. only users they
will be in the group "wireless" have access to the wireless:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=DOMAIN\\WIRELESS"
my question is now:
how can i realize that ive 2 ssid, one ssid=administrators, and the
other ssid=users,
i omit the "--require-membership-of=DOMAIN\\WIRELESS" on the ntlm
authentication and make two groups in the active directory:
-- wireless_admin - ssid1=adminis
-- wireless_users - ssid2=users
when the user is a member of admins he become the vlan and the ssid for
Administrators,
and when the user is a member of users he become the vlan and the ssid
for Users.
is that possible to configure it in the "/etc/raddb/users" like
following, but without user1, instead of this a group...
user1 Auth-Type := EAP
Cisco-AVPair := "ssid=admins",
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 2,
Tunnel-Type = VLAN
user2 Auth-Type := EAP
Cisco-AVPair := "ssid=users",
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 3,
Tunnel-Type = VLAN
somone has experience to associate ntlm and group differentiation...
and how can i do that the Admins can also login via shell, and the user
only authentication no shell or something like that?
thx Konne
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
