PS: you'll likely need to use the SID of the group, I could not get it working with the group "name" - YMMV.
----- Original Message ----- From: Gary Gatten [mailto:ggat...@waddell.com] Sent: Monday, February 28, 2011 06:14 PM To: 'freeradius-users@lists.freeradius.org' <freeradius-users@lists.freeradius.org> Subject: Re: Clarification / Confirmation needed re: FreeRadius against Active Directory Read the doc on ntlm_auth. There's an option like "require membership of." I'll leave the other question to someone more knowledgable as I was/am in a similar position. ----- Original Message ----- From: Moe, John [mailto:j...@hatch.com.au] Sent: Monday, February 28, 2011 06:00 PM To: freeradius-users@lists.freeradius.org <freeradius-users@lists.freeradius.org> Subject: Clarification / Confirmation needed re: FreeRadius against Active Directory I'm setting up an Ubuntu server (10.04LTS amd64) with FreeRadius (v2.1.8 from apt-get) to use as an authenticator against Active Directory for our HP ProCurve switches. I've gotten the server on to our Active Directory domain, and have begun the setup of the FreeRadius server. I've even managed to allow login to a test ProCurve switch using my AD username. Now, I've read a lot of configuration pages (for Ubuntu, Samba, Winbind, and FreeRadius, to name a few) in the last few days, and my head's spinning a bit, and I'd like to make sure I'm doing this right, and I've managed to grasp a few things... Should I be using ntlm_auth, or mschap as my Auth-Type for the ProCurve switches? Currently, I'm using: # HP ProCurve Switch DEFAULT Auth-Type = ntlm_auth, NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User Service-Type = 6 as my line in the "users" file, and it works, but I want to make sure it's a) doing what I think it's doing, and b) the right way to do it. >From some of my reading, it seemed to indicate that Auth-Type shouldn't need to be set, that FreeRadius should be able to figure it out, but if I leave it out, it appears to match the rest of the rule (NAS-Port-Type and Service-Type), but I get a message saying: Tue Mar 1 09:54:03 2011 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue Mar 1 09:54:03 2011 : Info: Failed to authenticate the user. I've put a single "=" in for the Auth-Type, because the documentation seems to say that with "=", it'll only add that to the request if no other Auth-Type was previously set, so that seems to say that the ProCurve switch isn't requesting ntlm_auth. How is FreeRadius supposed to figure it out, then? Also, I'd like to match the rule (or are they called policies?) against an Active Directory group name, so that only members of a specific group can get access into the switch. I can't seem to find any way match for that; is it possible? Any help or pointers would be appreciated. Thanks. John H. Moe Network Support - Hatch IT HATCH Tel: +61 (7) 3166 7777 Direct: +61 (7) 3166 7684 Fax: +61 (7) 3368 3754 Mobile: +61 438 772 425 61 Petrie Terrace, Brisbane, Queensland Australia 4011 ***************************** NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks.? When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements.? Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent.? Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail.? If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer. <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html