(RADIATOR) AuthBy LSA
Russell Owen
rowen at solutionsit.com.au
Tue Jan 13 21:33:14 CST 2004
Hi All,
Does anyone know if there is a way to get AuthBy LSA to act in a similar method to AuthBy ADSI against AD and also check group membership. I had this working perfectly with AuthBy ADSI and the GroupRequired command using PAP, but I now need to use MSCHAP-V2 due to a bug with OSX always defaulting to MSCHAP-v2.
I have attached part of my config file. What I need to acheive is authentication against AD that checks group membership and assigns VLAN info (using AddToReply) based on group membership, that also uses TTLS-MSCHAPv2 (to get arround a bug with the crappy OSX clients). The attached config works fine with AuthBy ADSI, but only when using TTLS-PAP. I need to somehow convert this to AuthBy LSA, so I can use TTLS-MSCHAPv2.
Any assistance would be geatly appreciated.
Russ.
<Handler Client-Identifier=Wireless>
RejectHasReason
AuthByPolicy ContinueWhileReject
RewriteUsername s/^([^@]+).*/$1/
<AuthBy ADSI>
Identifier Staff
EAPTLS_SessionResumption 0
AuthUser %0 at intheforrest.wa.au
SearchAttribute userPrincipalName
BindString LDAP://ou=staff,dc=intheforrest,dc=wa,dc=au
GroupRequired CN=Staff
# AddToReply Cisco-AVpair="ssid=Staff"
AddToReply Tunnel-Type="VLAN" \
Tunnel-Medium-Type="802" \
Tunnel-Private-Group-ID="2"
</AuthBy>
<AuthBy ADSI>
Identifier Students
EAPTLS_SessionResumption 0
AuthUser %0 at intheforrest.wa.au
SearchAttribute userPrincipalName
BindString LDAP://ou=students,dc=intheforrest,dc=wa,dc=au
GroupRequired CN=Students
# AddToReply Cisco-AVpair="ssid=Student"
AddToReply Tunnel-Type="VLAN" \
Tunnel-Medium-Type="802" \
Tunnel-Private-Group-ID="1"
</AuthBy>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040114/e18eeb89/attachment.html>
More information about the radiator
mailing list