[RADIATOR] AuthBy LSA and BaseDN
craigsimons at sfu.ca
Thu Sep 13 14:24:42 CDT 2012
Gaah! You're right. In my mind I was referencing examples of querying AD via LDAP, which would obviously not apply in this case. I suppose there is no current functionality for doing this simply. As per your previous suggestions:
1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if
the user has a DN (location in the tree) with allowed OU component. This
does require configuration work and maybe hooks too, but should be possible.
2. Create a new group and place all users that are not allowed to use
wireless LAN in that group. We could then add 'BlacklistGroup'
functionality in AuthBy LSA. If a user is a member of blacklisted group,
access would not be allowed.
1) I would imagine it would only be an authby group where you'd query the user in AD and ContinueWhileAccept into an LDAP lookup that would look for the user in the tree. It would seem that each authentication event would require a lookup to 2 different servers, which in a busy production environment, I'm not sure it's worth the latency and complication.
2) Our AD environment, like many others, delegates permissions to multiple administrators who all have different areas of responsibility . In ours, administrators can create local accounts in their OUs for their own projects, etc. However, all of our students/staff/etc live in a more tightly controlled OU that is administered centrally. We'd like to contain Radius look ups to this container, but it would appear that we'd need to add everyone into a default group. I have no idea what the implications are for this, so I'm not sure if it's a non-starter or not.
I'll have to go back and think about this some more.
----- Original Message -----
From: "Heikki Vatiainen" <hvn at open.com.au>
To: "Craig Simons" <craigsimons at sfu.ca>
Cc: radiator at open.com.au
Sent: Thursday, 13 September, 2012 11:58:50
Subject: Re: [RADIATOR] AuthBy LSA and BaseDN
On 09/13/2012 08:31 PM, Craig Simons wrote:
> Thanks for the reply Heikki. I think in this case, it would probably be
> easier to just migrate our Radiator deployment to Linux and use the NTLM
Before you start, can you tell how you were planning to configure AuthBy
NTLM? You can give ntlm_auth some options, such as
--require-membership-of but I'm not sure if that would be any different
than using Group option with LSA.
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the radiator