Re: [RADIATOR] AuthBy LSA and BaseDN

Thu, 13 Sep 2012 10:31:29 -0700 

Thanks for the reply Heikki. I think in this case, it would probably be easier 
to just migrate our Radiator deployment to Linux and use the NTLM module. 


- Craig 




                SFU     SIMON FRASER UNIVERSITY 
        Network Services 
        
Craig Simons 
Network and Systems Administrator 

Phone: 778-782-8036 
Cell: 604-649-7977 
Email: [email protected] 
Twitter: simonscraig 

----- Original Message -----

From: "Heikki Vatiainen" <[email protected]> 
To: "Craig Simons" <[email protected]> 
Cc: [email protected] 
Sent: Thursday, 13 September, 2012 05:53:40 
Subject: Re: [RADIATOR] AuthBy LSA and BaseDN 

On 09/12/2012 08:03 PM, Craig Simons wrote: 

> Basically, our AD permission structure is such that not all OU 
> containers are "trusted" enough to allow wireless authentication. So, I 
> only want to allow authentication based on user entries in a specific OU 
> as opposed to users who are members of a group (not quite the same thing 
> I'm led to believe). 

Yes, I think these are different things. The LDAP tree structure AD uses 
tells where the users can be found and the user then has e.g., group 
membership as attribute. 

> We (currently) run Radiator on Windows servers and therefore use the LSA 
> module for AD authentication. The manual doesn't have any specific 
> configuration options for this module that appear to be able to limit 
> searches. 

The AD directory tree structure is not visible via LSA API. We thought 
about two options: 
1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if 
the user has a DN (location in the tree) with allowed OU component. This 
does require configuration work and maybe hooks too, but should be possible. 

2. Create a new group and place all users that are not allowed to use 
wireless LAN in that group. We could then add 'BlacklistGroup' 
functionality in AuthBy LSA. If a user is a member of blacklisted group, 
access would not be allowed. 

Do you think option 2 would solve your problem? 

Thanks, 
Heikki 

-- 
Heikki Vatiainen <[email protected]> 

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, 
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc. 


_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to