Results 1 to 6 of 6
  1. #1
    Untangler
    Join Date
    Dec 2013
    Posts
    52

    Default Radius Login to Wireless - User Login passed to Untangle?

    Hi

    We have a Meru wireless system where our users connect via Radius authentification using their usual network username/password. We can specify a Radius accounting server. Would/is it possible to have this login information passed to Untangle so that the user is already authenticated?

    I want to avoid have using entering usernames/passwords.

    Many thanks
    Simon

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,478

    Default

    Yes you can call the user api in directory connector if they support that.


    Sent from my Nexus 6P using Tapatalk
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Dec 2013
    Posts
    52

    Default

    Thank you for the reply, I don't know I will have to go see!

    Many thanks
    Simon

  4. #4
    Untanglit
    Join Date
    Aug 2014
    Posts
    20

    Default

    Quote Originally Posted by dmorris View Post
    Yes you can call the user api in directory connector if they support that.


    Sent from my Nexus 6P using Tapatalk
    Can you expand on what you mean by this?
    If my user logs in to the wireless system via radius, the radius server will log in its event logs that joe bloggs tried to login, this request would then be sent to the AD to check if username and or password was correct, if it was it will send an auth message back saying allow, if either were wrong we get a deny back.

    Going on the basis that the auth was allow, wouldn't this then put a log in the AD server that joe bloggs logged on from this device which then the Directory Connector would pickup and populate the fields in username for clients.

    I have this similar setup and the only devices that are on my wifi which is radius auth'd that show a username are the devices that are domain auth'd as well (domain joined laptops) none of the tablet/mobile devices show up in UT with a username that are on the radius auth'd wireless

  5. #5
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,369

    Default

    Quote Originally Posted by tuffin86 View Post
    Can you expand on what you mean by this?
    Many radius platforms allow you write custom code for the post-authentication step. I know Freeradius allows this, for example. You can add custom code to the post-auth step the sends the user/machine information to Directory Connector.


    Quote Originally Posted by tuffin86 View Post
    wouldn't this then put a log in the AD server that joe bloggs logged on from this device which then the Directory Connector would pickup and populate the fields in username for clients.
    Not necessarily. Active Directory isn't the only game in town for network authentication. It is the best and biggest, but some places still use (shudder) Novell, or set up Samba/LDAP in place of a real AD domain controller.

    Even when you are using AD, sometimes credentials are synced or cached. For example, where I'm at use we Active Directory for computers, but use Google Apps for e-mail, and use a Google Apps Password Sync tool so gmail passwords always match active directory. Additionally, depending on your RADIUS server, it may be possible to cache authentication tickets or even credentials, to improve performance of your Active Directory (fewer AD lookups) or reduce login latency (some combinations of wifi brands and end user device are very sensitive to longer 802.1x log-in times). Not ideal, of course, but it happens.
    Last edited by jcoehoorn; 08-03-2017 at 07:07 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 8GB with Untangle 12.2 to protect 200Mbits for ~400 residential college students and associated staff and faculty

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,478

    Default

    Quote Originally Posted by jcoehoorn View Post
    Many radius platforms allow you write custom code for the post-authentication step. I know Freeradius allows this, for example. You can add custom code to the post-auth step the sends the user/machine information to Directory Connector.
    This will work. Just call the API:
    https://wiki.untangle.com/index.php/...tification_API

    Alternatively if you're using AD and its logging the auth info you can use our pre-build login monitor to call the API:
    https://wiki.untangle.com/index.php/..._Monitor_Agent
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2