As far as I know, the most firewalls I've been using do a check for usermemberships and stores it temporary, and checks every 5 or 15 min for changes. An ldap group is then assigned to an access-rule. The Firewalls read log-files on the domain-controllers to assign user-to-IP. I do not think FreeRADIUS can help you out here. What kind of firewall are you using btw? Regards, Lasse Odden On Thu, Jun 1, 2017 at 10:09 AM, M. selcuk karaca < selcuk.karaca@pardus.org.tr> wrote:
Hi
let me pour more clearance. I accept that, I have still lots of things to learn and this mail list can serve this well :)
There is a firewall and this easily integrates with windows active directory. FW admin can easily get users and apply FW policies to these users. For example users can be banned from internet access.
Our aim is to implement this with open source softwares.
we have replaced windows active directory with openLDAP server. But we could not integrated it with FW. openLDAP just serves for authenticating users. AFAIK, There is no way to integrate openLDAP with FW.
So here freeRadius comes to scene. (After this point I may be wrong, please advice..)
AFAIK, freeRadius can send accounting information to FW. we put radiusClass attribute in openLDAP user definition. and we configure freeRadius to get authentication information from openLDAP. if user logins from freeRadius then we get accounting packet including radiusClass attrbute travelling to our FW.
FW sees accounting packet and according to radiusClass attribute can decide on internet rigths
Is this a correct configuration? Are there any better ways to implement this?
TIA..
n May 31, 2017, at 6:56 AM, M. selcuk karaca <selcuk.karaca at pardus.org.tr <http://lists.freeradius.org/mailman/listinfo/freeradius-use rs>> wrote:
/We have an openLDAP server. And we want to integrate LDAP users to our
firewall. Our ultimate aim for integration is to apply FW policies according to users. curently we are applying policies according to IP addresses. / That's largely how firewalls work... applying rules by users is a bit more difficult.
/Because openLDAP server does not provide us with accounting information
sent to the FW, we have employed a freeRadius server. / FreeRADIUS doesn't generate accounting records. It receives accounting records from a NAS or firewall.
/But we could not trigger freeRadius accounting packages by
authenticating our users with openLDAP server. / Because OpenLDAP doesn't generate accounting packets.
/SO we have used libpam-radius-auth package and directly authenticated
users from freeRadius. / Which does some accounting...
/I want to ask whether this way is a logical one. does this have any
negative effects, not recommended etc.. />//>/what should be the correct architecture for authenticating our users from openLDAP and provide Firewall integration for user based policies..? / I'm not even sure what you want to do.
Your question into clear that you understand how firewalls work, how LDAP works, and how RADIUS works.
Alan DeKok.
On 31-05-2017 13:56, M. selcuk karaca wrote:
Hi
I have an architectural question and I hope I will not destroy list rules
We have an openLDAP server. And we want to integrate LDAP users to our firewall. Our ultimate aim for integration is to apply FW policies according to users. curently we are applying policies according to IP addresses.
Because openLDAP server does not provide us with accounting information sent to the FW, we have employed a freeRadius server.
But we could not trigger freeRadius accounting packages by authenticating our users with openLDAP server. SO we have used libpam-radius-auth package and directly authenticated users from freeRadius.
I want to ask whether this way is a logical one. does this have any negative effects, not recommended etc..
what should be the correct architecture for authenticating our users from openLDAP and provide Firewall integration for user based policies..?
Thanks for your guidance..
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html