I have a freeradius setup (currently 1.1.1) for a VPN NAS box using
128-bit MPPE MSCHAPv2 authentication against a Samba password file
and have recently added an EAP/PEAP setup for switches and access
points to provide 802.1x access control.
This all works, and I now need to check multiple Samba password
files and depending on which one contains the users credentials
return a VLAN tag to the switch.
In users I think I need:
DEFAULT something == "staff"
Tunnel-Type:0 = VLAN,
Tunnel-Medium-Type:0 = IEEE-802,
Tunnel-Private-Group-Id:0 = 1000
DEFAULT something == "student"
Tunnel-Type:0 = VLAN,
Tunnel-Medium-Type:0 = IEEE-802,
Tunnel-Private-Group-Id:0 = 1001
where 'something' gets set depending on which password file the
username exists in.
Note that usernames are mutually exclusive - they will only exist in
one of the samba password files.
I created multiple instances of passwd modules:
passwd smbpasswd_staff {
filename = /path/to/smbpasswd_staff
format = "*User-Name::LM-Password:NT-Password:SMB-
Account-CTRL-TEXT::"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
passwd smbpasswd_student {
filename = /path/to/smbpasswd_student
format = "*User-Name::LM-Password:NT-Password:SMB-
Account-CTRL-TEXT::"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
and tried using realms and Autz-Type in the authorize section and
changing User-Name to Stripped-User-Name, but this doesn't work with
EAP. I would also prefer not to have the users specify some prefix
or suffix to select which samba password file is check if possible.
I've had a look through the list archives and can't find any hints
so can anyone suggest what I could try next ?
Tom
--
Tom Whitehouse
Department of Computer Science, University of York
Heslington, York YO10 5DD, United Kingdom
email: [EMAIL PROTECTED] | Fax: +44 1904 432767
http://www.cs.york.ac.uk | Voice: +44 1904 434725
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
