FreeRadius has some built in methods to filter for groups in LDAP. The easiest way is to add specific rules in the users file. For example, for allowing access to group 'test' to the NAC 'wap-test', a users rule could be phrased like
DEFAULT Auth-Type = LDAP, Ldap-Group == "test", NAS-Port-Type == Wireless-802.11, NAS-IP-Address == wap-test
This is all mean to fit on one line. If the user is trying to user wireless (the NAS-Port-Type), and is logging in from wap-test (NAS-IP-Address - it is possible that this needs to be an ip address, but I have used some simple names before - it depends on how the WAP identifies itself, use radiusd -X to check this out), then authenticate them against the LDAP server, and only allow them to log in if they are part of group 'test' in LDAP.
This can also be done based on OU instead of group - the syntax is similiar, but I never had need to try it out. I do not know much about the Cisco WCS system, but this method here should be complete without needing to use any WCS resources.
One last note - this fouled me up for a while, but may be very obvious to others. Be sure your users file is not only included in the authenticate and authorize sections of radiusd.conf, but also that the users file is formatted to allow in bits and pieces, instead of allowing anyone who can log into LDAP to have access to all systems, and then denying some other services. FreeRadius expects to deny anything that does not fit a rule listed, so only adding rules to allow specific services and groups of users is the best way to use it.
Best of luck,
Colin Alworth
--
[EMAIL PROTECTED]
[EMAIL PROTECTED]
http://people.kzoo.edu/~k03ca01/
On 9/22/06, Mark Berman <[EMAIL PROTECTED]> wrote:
Hi all,
I just joined this list, mostly for the purpose of posting this question. I saw
the posting on the location appliance and I'll make a comment on that after my
question.
The Question: We are using Free-Radius as an authentication source for our
Wireless authentication. The Radius server in turn gets authentication from our
central servers via LDAP. We provide separate WLANs and SSIDs for students,
faculty, admin, guest... We'd like to allow or deny permission to each WLAN
based on group membership. Is anyone else doing this and willing to share their
Radius and WCS configs?
On the location appliance: We bought the thing and then discovered that it
won't work in our environment because our map is too complex. We have our
entire campus covered and have entered obstruction data detailing the
construction of all barrier walls and other possible obstructions. Apparently
the location appliance can only handle a very limited number of these
obstructions. I'm curious how many others have run into this problem and what
answer you're getting from Cisco. They've told us that it's been escalated to
engineering and that we are not the only customers having the problem. But it's
been months since we've heard anything new.
Thanks for listening.
- Mark
--
Mark Berman, Director for Networks & Systems
Williams College, OIT, Jesup Hall
Williamstown, MA. 01267 413-597-2092
**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
