(RADIATOR) Win2k, ADSI, and group membership

[Motley, Mark]

I'm in the process of evaluating Radiator for our environment.

During this time, I've figured something out that may be helpful to others.
I've also encountered a problem that I hope I can get help with... kind of a
give-take situation here folks!  ;-)

My goal is to get Radiator to authenticate to our Win2k Active Directory
tree.  I'm running Radiator on a Win2k server.

We have users strung throughout various OU's in the tree and no real
standard on CN names (some have spaces and some have dots between the first
& last names).  Hence the only thing I can really grab onto is the
princpleName (UPN, in the RFC822 email format).

I've been able to use this as follows:

BindString LDAP://server/dc=et,dc=rootad,dc=com
AuthUser %0 at ourdomain.com
# We'll use normal NTLM auth (AuthFlags=1, which is default)
# AuthFlags 0

Here I'm specifying the root of the domain, and using the UPN as a username
(adding the domain name part).  Based on my information from MSDN, looks
like GetADObject supports the UPN, so we're in business and it works great.

I know somebody had asked about this before, so hopefully this will help.

Now, my problem.  Right now, we restrict access to our dial-up service via
Win2k group membership.  In other words, if a user wants dial-up access, we
add them to a specific Win2k group (e.g. "DialUp Users") which grants them
the access.  This works fine using CiscoSecure ACS (our current RADIUS
server) by mapping the WinNT group to a ACS group then allowing that group
access to the NAS.

How in the devil do you do this with Radiator??  I just can't figure this
out...

Any help is appreciated, and thanks in advance...

- MBM
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.