Gaah! You're right. In my mind I was referencing examples of querying AD via LDAP, which would obviously not apply in this case. I suppose there is no current functionality for doing this simply. As per your previous suggestions:
1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if the user has a DN (location in the tree) with allowed OU component. This does require configuration work and maybe hooks too, but should be possible. 2. Create a new group and place all users that are not allowed to use wireless LAN in that group. We could then add 'BlacklistGroup' functionality in AuthBy LSA. If a user is a member of blacklisted group, access would not be allowed. 1) I would imagine it would only be an authby group where you'd query the user in AD and ContinueWhileAccept into an LDAP lookup that would look for the user in the tree. It would seem that each authentication event would require a lookup to 2 different servers, which in a busy production environment, I'm not sure it's worth the latency and complication. 2) Our AD environment, like many others, delegates permissions to multiple administrators who all have different areas of responsibility . In ours, administrators can create local accounts in their OUs for their own projects, etc. However, all of our students/staff/etc live in a more tightly controlled OU that is administered centrally. We'd like to contain Radius look ups to this container, but it would appear that we'd need to add everyone into a default group. I have no idea what the implications are for this, so I'm not sure if it's a non-starter or not. I'll have to go back and think about this some more. Regards, Craig ----- Original Message ----- From: "Heikki Vatiainen" <[email protected]> To: "Craig Simons" <[email protected]> Cc: [email protected] Sent: Thursday, 13 September, 2012 11:58:50 Subject: Re: [RADIATOR] AuthBy LSA and BaseDN On 09/13/2012 08:31 PM, Craig Simons wrote: > Thanks for the reply Heikki. I think in this case, it would probably be > easier to just migrate our Radiator deployment to Linux and use the NTLM > module. Before you start, can you tell how you were planning to configure AuthBy NTLM? You can give ntlm_auth some options, such as --require-membership-of but I'm not sure if that would be any different than using Group option with LSA. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
