With freeradius and PEAP-MSCHAP, how does one limit connectivity to a single group?
I feel like jumping up and down after I got FreeRadius, samba winbind, XCA w/ ECDSA certs, Active Directory, and Ubiquiti Unifi all talking together.
Next problem, any valid account in ActiveDirectory will currently authenticate. How do I limit this to the members of a specific AD group?
One terrible way I had thought of was in in the post-auth module executing a bash script that does a quick LDAP search. Could anything bad happen from this?
EDIT
Here's a guide to getting it all to work! https://gist.github.com/exabrial/368c279aad65cefd8c5f
For now, you need to use rlm_ldap
(which will be considerably faster than a bash script). We have discussed exposing winbind's APIs for group lookups, but you'd need to be using Samba 3.2.1 and a build of FreeRADIUS v3.1.x to take advantage of any features that were developed.
I'll leave you to look through (and complete) mods-available/ldap
as the config file is pretty well documented. After you have it customised to your LDAP server, create a symlink from mods-available/ldap
to mods-enabled/ldap
to enable the module.
To perform group lookups you need to compare the LDAP-Group
attribute with a value, and then make the decision to reject the user.
Something like:
if (LDAP-Group != 'my_group) {
reject
}
...in the inner tunnel virtual server would work.