Hi All, I've been searching for half the day and can't find an answer for a question I have. I'm new to freeradius and so far am finding it a rewarding challenge. I have freeradius 2.1.10 up and running, querying AD via ldap and authenticating with ntlm_auth fine. I'm using Ldap-Group checks within the users file to check against the AD groups. The problem I have is that the NAS we're working with (cisco wireless Aps) does both mac address and PEAP-MSCHAPv2 authentication to join the SSID. The PEAP bit works ok, but for the mac address bit the AD administrators set a user up on AD with the mac address but with only one primary group set which dictates the vlan passed back to that particular user on a specific client machine. The Ldap-Group doesn't see the primary group as it's set to do a "memberof" lookup. Other groups are seen fine. There are 3 ways I can see this working : 1) Get the LDAP bods to assign a different primary group and use the other group to dictate vlan membership. We've 5000 odd clients so this isn't my favourite. 2) Check the primarygroupid attribute out by mapping it using ldap.attrmap and attributes in the dictionary file, but then as far as I can tell I can't use these as checkitems within the users file. It's also tedious to have to know the primarygroupIDs for each group. I'd quite like the users file to be the main source of passing radius attributes back to clients, but there may be another way? 3) Something else a bit more clever. I've seen various examples of java / vb.net/php etc ways of taking the primarygroupid, changing it's data type and thus finding the group name, which could then maybe be passed back to the users file. I have absolutely no idea here.
Can some please help? Thanks Andy Franks
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
