Freeradius replacing Cisco ACS in an Active Directory Environment

[George Shearer]

Hi All. This is my attempt at giving back to the freeradius community.
Maybe others will find my configuration useful in their efforts.
I'm a network guy, and I do quite a bit of consulting work for various
companies. I have a customer in particular who (prior to this) was
using a very out-of-date Cisco ACS Server, and couldn't afford the
renewal/licensing fees to bring it uptodate. They are using
Microsoft's Active Directory on Windows Server 2000 as the primary
database for all identities/passwords.
The goals of this configuration are:
1. Provide AAA for administrative access to network devices (mostly,
SSH access to Cisco routers/switches/firewalls)
2. Provide AAA for 802.11 WLAN users who are using Windows XP and
"Wireless Zero" clients. (Cisco 1231 series access points)
3. Provide AAA for VPN Users who use cisco Secure VPN client from
remote locations (cisco 3000 series concentrators)
The freeradius server itself will run on a CentOS 5.4 Linux box. The
company doesn't like "make install" application installs (nor do I),
so I  simply grabbed the SRPM from the Fedora Project's KOJI build
server for the latest freeradius, and built it. This process is
outside the scope of this particular posting, as I want to focus on
Freeradius itself.
The Fedora spec file builds multiple binary packages that you can
install based on what you want to do with freeradius. These are the
packages I'm using:
freeradius-utils-2.1.8-2
freeradius-2.1.8-2
freeradius-ldap-2.1.8-2
The company has one Active Directory forest, and one subdomain. Users
exist under both. So, for this configuration, we'll call the primary
zone COMPANY.COM and SUB.COMPANY.COM. Both domains must be queried for
authorization & authentication.
The following rules apply for access:
1. User must exist within the AD forest. (as defined by my LDAP search
parameters)
2. User must be a member of a particular group (defined by the Users
file) for certain types of access:
  a) For administrative access to network device, the user must be a
member of the group networkteam.
  b) Access to use the VPN, user must be a member of the group vpnusers.
  c) Access to the Wireless network, user must be a member of group wifiusers.
VPN and Network-Admin users achieve both Authorization and
Authentication using nothing more than the rlm_ldap module. Wireless
users do not use ldap at all, but instead, they use the eap and mschap
modules. The mschap module is configured to use ntlm_auth which
requires samba's winbind to be configured on the backend.
It took me some time (and I will not admit how much time) to figure
out how to make this all work. I blame most of this on the fact that
freeradius has been around a long time, and as a result there's lots
of obsolete documentation out there for google to find. I believe this
configuration uses mostly uptodate syntax, however I'm always
interested in feedback on how to do things better.
Interestingly.. this whole process brought back a case of severe
dejavu for me. I wrote a combination tacacs/radius server WAY back in
the day when the Livingston Portmaster 2 series was king of dialup.
Many users on the livingston mailing list used my source code. This
really made me feel old. :(
Anyway, on to the good stuff.