3

In order to authenticate WiFi clients I use a FreeRADIUS server configured to check for user credentials in an Active Directory environment. Currently all users with a valid account are authenticated but I want a specific set of users, configured in a group in the Active Directory, to be the only accounts allowed access.

How do I configure FreeRADIUS to allow a specific group defined in the Active directory to be accepted by the RADIUS server?

FreeRADIUS is installed on CentOS 6.5 and I do not use a MySQL server for my configuration.

Joffrey
  • 2,011
  • 1
  • 11
  • 14
Debian
  • 51
  • 2
  • 5
  • Thanks and sorry for my short question. I have a WLAN. for authentication purposes I used FreeRADIUS and WPA2 Enterprise. Username and passwords are forwarded to Active Directory for authentication. My question is that I don't want all my Active Directory's user can access to the Network. How can I have Group e.g. "WiFiaccess" in Active Directory and after remembering users to that group, they can be able to connect to WiFi network.? – Debian Aug 18 '14 at 16:32

1 Answers1

3

Basically there are two steps to authenticate and authorize users using FreeRADIUS on an Active Directory:

The authorization part will give you more configuration possibilities will support matching on groups as

configured in your FreeRADIUS configuration. By default the group membership check is disabled by default.

You will need to enable it and configure the LDAP connection.

Make sure you use the ldap directive in the authorize stanza of the configuration, and not in the authenticate stanza. In the authenticate stanza ntlm_auth should be used.

After this is set up you will need to restrict the usage to specific users using the users config file:

DEFAULT Auth-Type = ntlm_auth, LDAP-Group = "myfavoriteusers"
Joffrey
  • 2,011
  • 1
  • 11
  • 14