On Sep 25, 2017, at 10:13 AM, Adam Cage <adamcage27@gmail.com> wrote:
People, I have working OK a Freeradius with AD Authentication and LDAP Authorization. Everything is OK when I use my service to authenticate users for the WiFi service.
That's good.
But now I want to add a Cisco Firepower IPS authentication, and I fail. The Cisco Firepower IPS has a Radius configuration interface where I fill out all the basic necessary data: Radius IP and port, Secret and Default User Role.
If the policies are very different from WiFi, you might want to user a different virtual server. See raddb/sites-available/README
In the Freeradius server, I have edited /etc/freeradius/sites-available/defaullt and inner-tunnel files, adding a clause similar to the current ones, as follow (the unique condition is the user belongs to IPS LDAP group):
if ..... ....... elsif (LDAP-Group == "IPS") { update reply { Reply-Message = "Hello %{User-Name}: Access enabled to Firepower" } ok } else { reject }
and the Freeradius debug output is this:
OK...
rlm_ldap::ldap_groupcmp: User found in group WiFi-Corp [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "IPS") -> TRUE ++? elsif (LDAP-Group == "IPS") -> TRUE ++elsif (LDAP-Group == "IPS") { +++update reply { expand: Hello %{User-Name}: Access enabled to Firepower -> Hello adam: Access enabled to Firepower +++} # update reply = noop +++[ok] = ok ++} # elsif (LDAP-Group == "IPS") = ok ++ ... skipping else for request 203: Preceding "if" was taken +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
Well that's clear.
Please can you help me???
Do you want to authenticate those users? If so, how? LDAP? Where are their accounts stored? Right now, you're not authenticating them at all. Alan DeKok.