Sturgis, Grant wrote:
Greetings list,
Brand new freeradius user here, I will try not to be too obnoxious with silly questions.
My goal is to replace the Cisco ACS solution with Freeradius, including:
1. Shell (telnet/ssh) access to network switches/routers/firewalls 2. EAP-TLS to the wireless network 3. Potentially 802.1x auth to wired network ports
I would like to use our network directory (W2K3 AD) user accounts for all of the above. And I would also like to be able to restrict based on group membership - so that only members of the "Cisco_Admin" group can log into switches and only members of the "wireless" group can authenticate to the WAPs.
My questions is:
Would it be wiser to pursue the mschap / ntml_auth / winbind module solution or the ldap module solution?
You will probably need both. mschap/ntlm_auth/winbind are needed to authenticate peap/mschap against active directory; LDAP cannot be used. Conversely, LDAP is the "optimal" way of looking up groups in AD; though on reflection, I wonder if a winbind module would be useful.