Dear, thanks to both of you. For WiFi service, I authenticate the users against te AD following Alan Dekok's tutorial...that works OK. And also I authorize the users against LDAP (from AD), enabling ldap line in default and inner-tunnel files and evaluating if users belong or not to given certain groups using the Ldap-Groups attribute...that works OK too. Now I have an IPS device, with 3 users that have to manage it and they belong to a LDAP group that is used in the WiFi service, so I think the police is the same. In this case I want to authenticate any of these 3 users, and authorize them evaluating if they belong to the IPS group. I think the authentication method is the same as I'm using right now for WiFi service (defined for AD as described in Alan Dekok's tutorial). Please, should I add more details or can you hel me??? Regards! ADAM 2017-09-25 11:23 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Sep 25, 2017, at 10:13 AM, Adam Cage <adamcage27@gmail.com> wrote:
People, I have working OK a Freeradius with AD Authentication and LDAP Authorization. Everything is OK when I use my service to authenticate
users
for the WiFi service.
That's good.
But now I want to add a Cisco Firepower IPS authentication, and I fail. The Cisco Firepower IPS has a Radius configuration interface where I fill out all the basic necessary data: Radius IP and port, Secret and Default User Role.
If the policies are very different from WiFi, you might want to user a different virtual server. See raddb/sites-available/README
In the Freeradius server, I have edited /etc/freeradius/sites-available/defaullt and inner-tunnel files, adding a clause similar to the current ones, as follow (the unique condition is the user belongs to IPS LDAP group):
if ..... ....... elsif (LDAP-Group == "IPS") { update reply { Reply-Message = "Hello %{User-Name}: Access enabled to Firepower" } ok } else { reject }
and the Freeradius debug output is this:
OK...
rlm_ldap::ldap_groupcmp: User found in group WiFi-Corp [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "IPS") -> TRUE ++? elsif (LDAP-Group == "IPS") -> TRUE ++elsif (LDAP-Group == "IPS") { +++update reply { expand: Hello %{User-Name}: Access enabled to Firepower -> Hello adam: Access enabled to Firepower +++} # update reply = noop +++[ok] = ok ++} # elsif (LDAP-Group == "IPS") = ok ++ ... skipping else for request 203: Preceding "if" was taken +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user.
Well that's clear.
Please can you help me???
Do you want to authenticate those users? If so, how? LDAP? Where are their accounts stored?
Right now, you're not authenticating them at all.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html