Hi let me pour more clearance. I accept that, I have still lots of things to learn and this mail list can serve this well :) There is a firewall and this easily integrates with windows active directory. FW admin can easily get users and apply FW policies to these users. For example users can be banned from internet access. Our aim is to implement this with open source softwares. we have replaced windows active directory with openLDAP server. But we could not integrated it with FW. openLDAP just serves for authenticating users. AFAIK, There is no way to integrate openLDAP with FW. So here freeRadius comes to scene. (After this point I may be wrong, please advice..) AFAIK, freeRadius can send accounting information to FW. we put radiusClass attribute in openLDAP user definition. and we configure freeRadius to get authentication information from openLDAP. if user logins from freeRadius then we get accounting packet including radiusClass attrbute travelling to our FW. FW sees accounting packet and according to radiusClass attribute can decide on internet rigths Is this a correct configuration? Are there any better ways to implement this? TIA.. n May 31, 2017, at 6:56 AM, M. selcuk karaca <selcuk.karaca at pardus.org.tr <http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote:
/We have an openLDAP server. And we want to integrate LDAP users to our firewall. Our ultimate aim for integration is to apply FW policies according to users. curently we are applying policies according to IP addresses. / That's largely how firewalls work... applying rules by users is a bit more difficult.
/Because openLDAP server does not provide us with accounting information sent to the FW, we have employed a freeRadius server. / FreeRADIUS doesn't generate accounting records. It receives accounting records from a NAS or firewall.
/But we could not trigger freeRadius accounting packages by authenticating our users with openLDAP server. / Because OpenLDAP doesn't generate accounting packets.
/SO we have used libpam-radius-auth package and directly authenticated users from freeRadius. / Which does some accounting...
/I want to ask whether this way is a logical one. does this have any negative effects, not recommended etc.. />//>/what should be the correct architecture for authenticating our users from openLDAP and provide Firewall integration for user based policies..? / I'm not even sure what you want to do.
Your question into clear that you understand how firewalls work, how LDAP works, and how RADIUS works. Alan DeKok. On 31-05-2017 13:56, M. selcuk karaca wrote:
Hi
I have an architectural question and I hope I will not destroy list rules
We have an openLDAP server. And we want to integrate LDAP users to our firewall. Our ultimate aim for integration is to apply FW policies according to users. curently we are applying policies according to IP addresses.
Because openLDAP server does not provide us with accounting information sent to the FW, we have employed a freeRadius server.
But we could not trigger freeRadius accounting packages by authenticating our users with openLDAP server. SO we have used libpam-radius-auth package and directly authenticated users from freeRadius.
I want to ask whether this way is a logical one. does this have any negative effects, not recommended etc..
what should be the correct architecture for authenticating our users from openLDAP and provide Firewall integration for user based policies..?
Thanks for your guidance..