ok, now the normal authentication process works again!
normally our config from the ldap request looks like the following:
radiusd.conf:
basedn = "CN=Users,DC=isalab,DC=local"
filter = "sAMAccountName=%{Stripped-User-Name:-%{User-Name})"
groupname_attribute = cn
groupmembership_filter =
"(|(&(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
users:
DEFAULT LDAP-Group == "CN=adminrole,CN=users,DC=isalab,DC=local",
Huntgroup-Name == "enterasys", Realm == ISALAB.local
Filter-ID == "Enterasys:version=1:mgmt=su:policy=adminrole",
Reply-Message = "Welcome %{Stripped-User-Name:-%{User-Name:-None}}
in the %{Realm} - Domain, there are no restrictions for you in
this network",
Fall-Through = No
with this config we get the groupmembership from the users and we can
give the filter-ID back to the switches.
But with machine authentication it looks a bit different!
first the DC ist Computers, no more users, then the sAMAccountName is for
example IT88$ and freeradius gives the name host/it88.isalab.local to the
AD, but this name stands in the servicePrincipalName!
also there is no memberOf any more at the device!
any ideas this is can be done?
ca mIke
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
