Contemplating change to FreeRadius configuration....
Mark J. Bobak
mark at bobak.net
Mon Jan 21 21:17:09 CET 2019
Hi all,
I've been on this list for a while, but I'm mostly just a lurker.
But, I wanted to run a thought by folks here, before I spend too much time
on the effort.
Currently, I'm running Freeradius 3.0.13 (which I think was current when we
installed) on RedHat Enterprise Linux 7 (7.6).
I have a very simple implementation, using FreeRadius, Google
Authenticator, and Linux. I create an account in Linux, and each Linux
account has a Google Authenticator component, and I use FreeRadius as the
backend to authenticate VPN users, coming from a Dell Sonicall TZ400.
All this works with no issue. (The main reason I've been so quiet on this
list. ;-))
Users come in from VPN, supply username, password, and Google auth OTP, and
FreeRadius authenticates them. The users are defined in Linux, on the
FreeRadius server itself.
Since I first set this up a couple of years ago, we have made some changes,
including moving to a Samba backend to do Active Directory authentication
for Windows logins.
So, my question is, instead of maintaining a separate database for VPN, is
it possible (and how hard) to make my Samba server be the backend? So,
when we add a user to the Samba AD server, they will gain VPN login access,
in addition to the Windows domain for Windows login access.
If I go that way, would the Google Auth stuff have to move over to the
Samba server? Would two-factor auth apply to Windows domain login as well
as VPN access? (That may be a Samba question, sorry.) Would the
FreeRadius server need to move to the Samba server?
Has anyone dome something like this? Was it difficult?
I'm a little bit loathe to change a configuration that has been working so
well for so long....but as we grow, I'm willing to bet it will pay for
itself in time saved.
Any helpful hints? Pointers to docs?
All comments are much appreciated.
Thanks,
-Mark
More information about the Freeradius-Users
mailing list