FreeRADIUS + Cisco + Active Directory
Alan DeKok
aland at deployingradius.com
Wed Jan 6 21:09:13 CET 2016
On Jan 6, 2016, at 2:03 PM, Rashad Hall <trynot24 at gmail.com> wrote:
>
> We are seeing if we can avoid using LDAP as it requires exposing the
> credentials (to myself) used to bind to LDAP. We have audit requirements
> and our SysAdmins are the only persons who should know these credentials.
Then change the authentication method used by the clients. If you can't do that, there isn't much you can do.
> With that being said we are trying to find any work around to avoid LDAP.
The problem is that the user's password is in the RADIUS packet. Moving away from LDAP doesn't change that.
> I
> was able to find this page (
> http://blog.chapus.net/freeradius-active-directory-group-check/) where the
> author states he had a working implementation that does not use LDAP.
It won't help you. It does something useful... just not anything useful for you.
> Any ideas? We will end up using LDAP if needed but if there is a decent
> workaround we are not concerned about optimal performance for the moment.
Use LDAP.
And for administrator login to switches... you're most often stuck with using passwords. The RADIUS server will see the plain-text passwords. But there isn't much you can do about that.
Alan DeKok.
More information about the Freeradius-Users
mailing list