"Atkinson, Dudley" <[EMAIL PROTECTED]> wrote: > Problem: Authenticate a user with FreeRadius, using their membership in an > NT domain GROUP for authorization to access the remote access device (a VPN > server). > > Suggested Solution: > 1. Configure the VPN server to be in a huntgroup, and assign a GROUP > attribute in the huntgroups file (call it VPNSERVER) > 2. Configure WINBIND on the FreeRadius server and setup FreeRadius to use > that PAM for lookups.
FreeRADIUS also supplies rlm_smb, which does SMB authentication. It may work for you... > I want the username to be validated as part of an NT domain group before > granting access. Different VPN servers would be different huntgroups, so I > know I can differentiate there. I'm not sure that I can put users into NT > groups and cluster the access on that side. Does the NT server export the information as to which user is in which group? If not, then it's impossible. > When the GROUP attribute is set in the huntgroups file, is that GROUP used > in the WINBIND session to check the username password AND group membership? > If not, then what can be done? No, and there isn't much you can do for that solution, at least. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
