3 Wrote:
I am wondering what is the best practice (security) when it comes NAS user authentication:
Personally I think the best policy is not to use remote authentication servers for administrative switch access, and not to use the same password for administrative access to networking equipment as you do for SSO/AD, but that's a matter of opinion and certainly depends on institutional needs.
would it be better to have a separate server for the NAS user (cisco users) authentication ? or could I have both the WiFi user auth and NAS user auth on the same server?
You could.
The WiFi auth is based on MSCHAP module (against the AD), and since MSCHAP is not possible with the NAS user authentication, I assume that I have to use NTLM with PAP to authenticate the NAS user to the AD; These setup can't be on the same server (at least binding on same ports). Am I correct? or do I have it wrong?
You could use unlang to decide which protocols to run based on a number of factors, but unless there is a compelling reason not to use a different port number, it would probably be much easier to simply define a second server (running in the same FreeRADIUS process) and use the incoming port number to select the server with the "virtual_server" directive of the "listen" section (and not using a "virtual_server" directive in "client" sections, since that would override.) I wasn't aware administrative access on Cisco could use NTLM, except perhaps for the administrative web interface.