Charles Jones wrote:
Now that I have that working, I am researching how to extend the FreeRADIUS server to provide LDAP-based authorization for privileged level access into the switches as well. I would prefer to simply do an LDAP search to determine if the given user is located inside a specific AD group, and base the authorization request on the response from that query.
In the "users" file, do: DEFAULT LDAP-Group == "foo" Reply-Message = "This worked", ... reply with more stuff ...
In the interest of keeping my request simple, I am looking to accomplish the following: 1. Keep my current 802.1x PEAP port-based-auth working.
There's no need to change it.
2. Add in the functionality to control privileged access to Cisco devices based on group membership in our AD domain.
You can configure any policies, and any response attributes, based in LDAP-Group checking.
Before I get neck-deep in testing out configs and debugging, I would like to ask if this is a feasible goal. If it is, I would appreciate any relevant references you know of so that I may start researching the proper configuration changes needed to achieve this. In addition, I'd like to know if anyone out there has this kind of configuration in place, and working.
Lots of people do exactly this. Alan DeKok.