[RADIATOR] AuthBy LSA and BaseDN

Craig Simons craigsimons at sfu.ca
Thu Sep 13 12:31:13 CDT 2012 

Thanks for the reply Heikki. I think in this case, it would probably be easier to just migrate our Radiator deployment to Linux and use the NTLM module. 


- Craig 




		SFU 	SIMON FRASER UNIVERSITY 
	Network Services 
	
Craig Simons 
Network and Systems Administrator 

Phone: 778-782-8036 
Cell: 604-649-7977 
Email: craigsimons at sfu.ca 
Twitter: simonscraig 

----- Original Message -----

From: "Heikki Vatiainen" <hvn at open.com.au> 
To: "Craig Simons" <craigsimons at sfu.ca> 
Cc: radiator at open.com.au 
Sent: Thursday, 13 September, 2012 05:53:40 
Subject: Re: [RADIATOR] AuthBy LSA and BaseDN 

On 09/12/2012 08:03 PM, Craig Simons wrote: 

> Basically, our AD permission structure is such that not all OU 
> containers are "trusted" enough to allow wireless authentication. So, I 
> only want to allow authentication based on user entries in a specific OU 
> as opposed to users who are members of a group (not quite the same thing 
> I'm led to believe). 

Yes, I think these are different things. The LDAP tree structure AD uses 
tells where the users can be found and the user then has e.g., group 
membership as attribute. 

> We (currently) run Radiator on Windows servers and therefore use the LSA 
> module for AD authentication. The manual doesn't have any specific 
> configuration options for this module that appear to be able to limit 
> searches. 

The AD directory tree structure is not visible via LSA API. We thought 
about two options: 
1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if 
the user has a DN (location in the tree) with allowed OU component. This 
does require configuration work and maybe hooks too, but should be possible. 

2. Create a new group and place all users that are not allowed to use 
wireless LAN in that group. We could then add 'BlacklistGroup' 
functionality in AuthBy LSA. If a user is a member of blacklisted group, 
access would not be allowed. 

Do you think option 2 would solve your problem? 

Thanks, 
Heikki 

-- 
Heikki Vatiainen <hvn at open.com.au> 

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, 
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120913/fb96e83d/attachment.html

More information about the radiator mailing list