PEAP/802.1x AD authentication for network access working, can AD-LDAP group search work for switch management authorization?

Alan DeKok aland at deployingradius.com
Tue Feb 26 10:14:20 CET 2008


Charles Jones wrote:
> Now that I have that working, I am researching how to extend the
> FreeRADIUS server to provide LDAP-based authorization for privileged
> level access into the switches as well.  I would prefer to simply do
> an LDAP search to determine if the given user is located inside a
> specific AD group, and base the authorization request on the response
> from that query.

  In the "users" file, do:

DEFAULT	LDAP-Group == "foo"
	Reply-Message = "This worked",
	... reply with more stuff ...

> In the interest of keeping my request simple, I am looking to
> accomplish the following:
> 1.  Keep my current 802.1x PEAP port-based-auth working.

  There's no need to change it.

> 2.  Add in the functionality to control privileged access to Cisco
> devices based on group membership in our AD domain.

  You can configure any policies, and any response attributes, based in
LDAP-Group checking.

> Before I get neck-deep in testing out configs and debugging, I would
> like to ask if this is a feasible goal.  If it is, I would appreciate
> any relevant references you know of so that I may start researching
> the proper configuration changes needed to achieve this.  In addition,
> I'd like to know if anyone out there has this kind of configuration in
> place, and working.

  Lots of people do exactly this.

  Alan DeKok.



More information about the Freeradius-Users mailing list