(RADIATOR) Win2k, ADSI, and group membership

Hugh Irvine hugh at open.com.au
Sat Sep 28 19:42:11 CDT 2002 

Hello Mark -

Thanks for the tip - we will add it to the FAQ.

For your other question, you will need to use "cascaded" AuthBy 
clauses, like this:

# define AuthBy clauses

<AuthBy ADSI>
	Identifier CheckADSI
	....
</AuthBy>

<AuthBy FILE>
	CheckUsersAndGroups
	Filename %D/users.groups
	....
</AuthBy>

# define Realms or Handlers

<Handler ...>
	AuthBy CheckUsersAndGroups
	....
</Handler>


Then the file %D/users.groups would contain something like this:

# %D/users.groups

DEFAULT Auth-Type = CheckADSI, Group = Dialup
	....


Hope that helps.

regards

Hugh


On Saturday, September 28, 2002, at 10:18 AM, Motley, Mark wrote:

> I'm in the process of evaluating Radiator for our environment.
>
> During this time, I've figured something out that may be helpful to 
> others.
> I've also encountered a problem that I hope I can get help with... 
> kind of a
> give-take situation here folks!  ;-)
>
> My goal is to get Radiator to authenticate to our Win2k Active 
> Directory
> tree.  I'm running Radiator on a Win2k server.
>
> We have users strung throughout various OU's in the tree and no real
> standard on CN names (some have spaces and some have dots between the 
> first
> & last names).  Hence the only thing I can really grab onto is the
> princpleName (UPN, in the RFC822 email format).
>
> I've been able to use this as follows:
>
> BindString LDAP://server/dc=et,dc=rootad,dc=com
> AuthUser %0 at ourdomain.com
> # We'll use normal NTLM auth (AuthFlags=1, which is default)
> # AuthFlags 0
>
> Here I'm specifying the root of the domain, and using the UPN as a 
> username
> (adding the domain name part).  Based on my information from MSDN, 
> looks
> like GetADObject supports the UPN, so we're in business and it works 
> great.
>
> I know somebody had asked about this before, so hopefully this will 
> help.
>
> Now, my problem.  Right now, we restrict access to our dial-up service 
> via
> Win2k group membership.  In other words, if a user wants dial-up 
> access, we
> add them to a specific Win2k group (e.g. "DialUp Users") which grants 
> them
> the access.  This works fine using CiscoSecure ACS (our current RADIUS
> server) by mapping the WinNT group to a ACS group then allowing that 
> group
> access to the NAS.
>
> How in the devil do you do this with Radiator??  I just can't figure 
> this
> out...
>
> Any help is appreciated, and thanks in advance...
>
> - MBM
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list