(RADIATOR) AuthBy LSA

Russell Owen rowen at solutionsit.com.au
Tue Jan 13 21:33:14 CST 2004


Hi All,
Does anyone know if there is a way to get AuthBy LSA to act in a similar method to AuthBy ADSI against AD and also check group membership. I had this working perfectly with AuthBy ADSI and the GroupRequired command using PAP, but I now need to use MSCHAP-V2 due to a bug with OSX always defaulting to MSCHAP-v2. 
 
I have attached part of my config file. What I need to acheive is authentication against AD that checks group membership and assigns VLAN info (using AddToReply) based on group membership, that also uses TTLS-MSCHAPv2 (to get arround a bug with the crappy OSX clients). The attached config works fine with AuthBy ADSI, but only when using TTLS-PAP. I need to somehow convert this to AuthBy LSA, so I can use TTLS-MSCHAPv2. 
 
Any assistance would be geatly appreciated.
Russ.
 
 
<Handler Client-Identifier=Wireless>
 RejectHasReason
 AuthByPolicy ContinueWhileReject
 RewriteUsername s/^([^@]+).*/$1/
 <AuthBy ADSI>
         Identifier    Staff
  EAPTLS_SessionResumption        0
  AuthUser     %0 at intheforrest.wa.au
  SearchAttribute     userPrincipalName
  BindString   LDAP://ou=staff,dc=intheforrest,dc=wa,dc=au
  GroupRequired   CN=Staff
#  AddToReply   Cisco-AVpair="ssid=Staff"
  AddToReply   Tunnel-Type="VLAN" \
      Tunnel-Medium-Type="802" \
      Tunnel-Private-Group-ID="2"
 </AuthBy>
 <AuthBy ADSI>
         Identifier    Students
  EAPTLS_SessionResumption        0
  AuthUser     %0 at intheforrest.wa.au
  SearchAttribute     userPrincipalName
  BindString   LDAP://ou=students,dc=intheforrest,dc=wa,dc=au
  GroupRequired   CN=Students  
#  AddToReply   Cisco-AVpair="ssid=Student"
  AddToReply   Tunnel-Type="VLAN" \
      Tunnel-Medium-Type="802" \
      Tunnel-Private-Group-ID="1"
 </AuthBy>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040114/e18eeb89/attachment.html>


More information about the radiator mailing list