0

The setup

We currently have a Freeradius server used to authenticate our Wifi users against our Active Directory server. The link between Freeradius and the Active Directory is done by Winbind.

In order for the user to be able to obtain authorization, it needs to be belong to a group in the Activer Directory. This is done by adding an argument to the ntlm_auth command.

What we are trying to achieve

We are now adding 802.1X to our cabled networks and would like to re-use the existing Radius server to authenticate against the same Active Directory.

Everything will be the same except the authorization will need to be based on whether the user belongs to a different one than that of the Wifi networks.

What we have already tried

I have read many things on freeradius in the documentation and have seen that it is possible to use conditionnals and variables. My plan therefore was to put a variable in the ntlm_auth command that would contain the group SID (as suggested on Freeradius mailing-lists). The group SID would be dependent on the IP of the network device which should be contained in "NAS-IP-Address".

This should just be a case of writing a simple conditionnal statement and setting a variable. Nonetheless, I have not been able to do this as Freeradius will not start everytime I try to add a conditionnal to the configuration files.

So my questions are :

  • How do I set a variable in function of the NAS-IP-Address ?

  • In which files can such syntax be used ?

Community
  • 1
Antoine Benkemoun
  • 7,314
  • 3
  • 41
  • 60

1 Answers1

0

Unlang (which is the conditional language you're referring to), can only be used within the subsections of virtual servers (server {} blocks).

Expansions like %{foo} can sometimes be used in module configuration items like ntlm_auth, but it depends on the configuration item. The examples in the module config files will usually give you a hint as to whether expansions can be used.

The virtual server config files can be found in /etc/raddb/sites-available or /etc/freeradius/sites-available.

The easiest way would to achieve what you're asking for, would be to add an extra config pair to the various clients sections instead of basing something on NAS-IP-Address.

For example:

client my_client {
    ipaddr = 127.0.0.1
    secret = testing123
    ad_group = <group>
}

Then you can use the expansion %{client:ad_group} to pass the ad_group value in the ntlm_auth arguments.

Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18