Authentication with ntlm-auth and “require-membership-of”
works well for us. Right now we simply authenticate the login/vty session
with AD, and the secret is “authorized” locally by the switch.
So, each person gets the vty session with their own unique credentials
validated via ntlm-auth and AD. Everyone knows the secret password.
Works well. On our “dev” FR instance I have an FR users file
to return various Cisco attribute-value pairs. This works well too.
Somewhere down the road I’ll go for a full authorization process with AD
on the back side, or since a relatively small number of users access our gear,
might just stick to users file. Guess it depends how skilled I get with
LDAP/AD/unlang/whatever else…
G
From:
freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Brett Littrell
Sent: Wednesday, February 09, 2011
9:57 AM
To:
Subject: Re: Authenticating SSH
login on a Cisco IOS switch to AD
Hi Chris,
We use TACACS+ to administer our switches here and I can tell you that I had to
add extra stuff to the TACACS replies to allow authorization to manage the
switches. So you may be able to login via radius but somewhere you are
going to have to send information to the switch on what authorization is given
per user. This means that your going to have to have AD respond with this
information or have some other method that will inject those values when you
login.
I think it is possible but I do not think it will be to easy if you are only
using AD as the back-end, you may need to use local files to define groups with
attributes or some scripts to inject the values Cisco wants.
Hope that
helps.
Brett
Littrell
Network
Manager
MUSD
CISSP,
CCSP, CCVP, MCNE
>>> On Wednesday, February 09, 2011 at 7:24 AM, in message
<604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>,
"Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de>
wrote:
|
Greetings all, |