Home / server / Questions / 738744
Accepted
Jonathan S. Fisher
Asked: 2015-11-25 13:44:34 +0800 CST

With freeradius and PEAP-MSCHAP, how does one limit connectivity to a single group?

  • 772

I feel like jumping up and down after I got FreeRadius, samba winbind, XCA w/ ECDSA certs, Active Directory, and Ubiquiti Unifi all talking together.

Next problem, any valid account in ActiveDirectory will currently authenticate. How do I limit this to the members of a specific AD group?

One terrible way I had thought of was in in the post-auth module executing a bash script that does a quick LDAP search. Could anything bad happen from this?

EDIT

Here's a guide to getting it all to work! https://gist.github.com/exabrial/368c279aad65cefd8c5f

active-directory

1 Answers

  1. Best Answer

    For now, you need to use rlm_ldap (which will be considerably faster than a bash script). We have discussed exposing winbind's APIs for group lookups, but you'd need to be using Samba 3.2.1 and a build of FreeRADIUS v3.1.x to take advantage of any features that were developed.

    I'll leave you to look through (and complete) mods-available/ldap as the config file is pretty well documented. After you have it customised to your LDAP server, create a symlink from mods-available/ldap to mods-enabled/ldap to enable the module.

    To perform group lookups you need to compare the LDAP-Group attribute with a value, and then make the decision to reject the user.

    Something like:

    if (LDAP-Group != 'my_group) {
    reject
}

    ...in the inner tunnel virtual server would work.

    • 3