Network authentication and password policy

Gary Gatten Ggatten at waddell.com
Wed Mar 23 21:19:25 CET 2011


What I did - not saying what you should do - is used FreeRADIUS with a SAMBA util called ntlm_auth with an argument "--require-membership-of [group-name/SID of group].  (I had to use the SID to get it to work.)

So, you need *nix with FR and SAMBA, and that server needs to be a domain member to query AD.

When your network gear sends a RADIUS request to FR, it will query AD and only return an "OK" If the username/password are good, the account is active, and the user is a member of the specified group.

There are other ways, such as using LDAP, but I feel this is easier.  Others may have a different opinion.

Getting ntlm_auth / AD integration is documented in several places: www.freeradius.org should have some info / links / etc.

G


-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Jeffrey Belles
Sent: Wednesday, March 23, 2011 3:04 PM
To: FreeRadius users mailing list
Cc: FreeRadius users mailing list
Subject: Re: Network authentication and password policy

Gary,
Thanks for your swift reply. 
As said, i am completely new to radius so trying to figure it all out now. 

We have an AD forest with over 1,000 users, with only a few of them needing access to the devices. Are there possibilities to acheive this?

On the AD domain there are already password policies in place, so that would be covered. 

J



Op 23 mrt. 2011 om 20:58 heeft Gary Gatten <Ggatten at waddell.com> het volgende geschreven:

> Will you be using some backend database; LDAP, AD, eDirectory, etc.?
> 
> "Typically" RADIUS either permits or denies based on a query reply it receives from the backend system.  I don't *think* you would be allowed to change your password via RADIUS (it typically only has RO access to the DB, and I'm not even sure the RADIUS protocol supports it), but I *believe* it will pass attributes to your client that will indicate if the password is expired or not.
> 
> And yes, typical password policy requires a change every n days; sometimes as often as 30 days, sometimes every 180+
> 
> Gary
> 
> 
> -----Original Message-----
> From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Jeffrey Belles
> Sent: Wednesday, March 23, 2011 2:37 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Network authentication and password policy
> 
> Hello,
> I am new to this list and planning to deploy a radius-server. 
> Sole purpose will be to authenticate against network equipment. Mainly Juniper and cisco and Sonicwall. 
> 
> I am looking for best practice solutions for password policy. Is there any way to force network engineers to change their passwords after either first login or expiry date? 
> Having everybody manually submit passwords on the server and/or having them change it every x weeks seems a bad plan. 
> 
> Anyone any ideas?
> 
> Thx
> Rgds,
> Jeffrey
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> 
> 
> 
> <font size="1">
> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
> </div>
> "This email is intended to be reviewed by only the intended recipient
> and may contain information that is privileged and/or confidential.
> If you are not the intended recipient, you are hereby notified that
> any review, use, dissemination, disclosure or copying of this email
> and its attachments, if any, is strictly prohibited.  If you have
> received this email in error, please immediately notify the sender by
> return email and delete this email from your system."
> </font>
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>





More information about the Freeradius-Users mailing list