|
We use Cisco 1232 AP’s with EAP-PEAP-MSCHAPv2 to a
Cisco ACS (RADIUS server). We would like to restrict access to SSIDs based upon Windows
group membership. The ACS server is not capable of doing this. I currently
have FreeRadius (1.1.2) installed under FreeBSD with OpenSSL 0.9.7d-p1 17 and Samba 3.0.20b.
If the server is joined to an Active Directory domain, would it be possible to not just
authenticate user/pwd through Samba, but also to check for Windows group membership based
upon the SSID to which the user is trying to authenticate? If this is
possible, can you suggest the general approach to implementing this? For instance, if we have SSID’s: ssid1, ssid2 and
ssid3 and we want to map ssid1 -> Windows group “ssid1 users” ssid2 -> Windows group “ssid2 users” ssid3 -> Windows group “ssid3 users” such that if the user is a member of the group and their
credentials are valid, FreeRadius would return Access-Accept. If they aren’t a
member of the group or their credentials are invalid, it would return Access-Reject. I’ve seen some threads talking about putting a SSID
attribute in LDAP. But, user’s could be authorized for more than one SSID so it doesn’t
seem like that approach would work. Also, administratively, it’s easier to identify/manage
who is authorized for which SSIDs if it is done via group membership as opposed to a user
attribute. Also, does FreeRadius support changing of passwords via
MSCHAP to Active Directory when the password is expired? Thank you in advance for any help/guidance you can provide. Neal |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
