PEAP/802.1x AD authentication for network access working, can AD-LDAP group search work for switch management authorization?
Hello all, I am relatively new to the RADIUS world, FreeRADIUS is my first RADIUS server, I am looking forward to learning as much as I can about it. So far, I have configured FreeRADIUS successfully to authenticate users against a Windows 2003 Active Directory server for 802.1x PEAP port-based-authentication using Cisco Catalyst switches. I used the ntlm_auth technique for the authentication side. Now that I have that working, I am researching how to extend the FreeRADIUS server to provide LDAP-based authorization for privileged level access into the switches as well. I would prefer to simply do an LDAP search to determine if the given user is located inside a specific AD group, and base the authorization request on the response from that query. I've looked through the rlm_ldap docs on the freeradius wiki, as well as a few other tutorials out on the web. However, I haven't seen anyone who is simply trying to authorize (not authenticate) based on group-membership in AD. I would prefer to avoid having to store any passwords in the LDAP database if at all possible. In the interest of keeping my request simple, I am looking to accomplish the following: 1. Keep my current 802.1x PEAP port-based-auth working. 2. Add in the functionality to control privileged access to Cisco devices based on group membership in our AD domain. Before I get neck-deep in testing out configs and debugging, I would like to ask if this is a feasible goal. If it is, I would appreciate any relevant references you know of so that I may start researching the proper configuration changes needed to achieve this. In addition, I'd like to know if anyone out there has this kind of configuration in place, and working. Thanks for your time, Charles
Hey,
Before I get neck-deep in testing out configs and debugging, I would like to ask if this is a feasible goal. yes totally do able. If it is, I would appreciate any relevant references you know of so that I may start researching the proper configuration changes needed to achieve this. the rlm_ldap docs should be most of what you need...
In addition, I'd like to know if anyone out there has this kind of configuration in place, and working. I have it working, I do authorization based on openLDAP ( with groups ) and i do authentication off active directories.
Joe Vieira UNIX Systems Administrator Clark University - ITS
Charles Jones wrote:
Now that I have that working, I am researching how to extend the FreeRADIUS server to provide LDAP-based authorization for privileged level access into the switches as well. I would prefer to simply do an LDAP search to determine if the given user is located inside a specific AD group, and base the authorization request on the response from that query.
In the "users" file, do: DEFAULT LDAP-Group == "foo" Reply-Message = "This worked", ... reply with more stuff ...
In the interest of keeping my request simple, I am looking to accomplish the following: 1. Keep my current 802.1x PEAP port-based-auth working.
There's no need to change it.
2. Add in the functionality to control privileged access to Cisco devices based on group membership in our AD domain.
You can configure any policies, and any response attributes, based in LDAP-Group checking.
Before I get neck-deep in testing out configs and debugging, I would like to ask if this is a feasible goal. If it is, I would appreciate any relevant references you know of so that I may start researching the proper configuration changes needed to achieve this. In addition, I'd like to know if anyone out there has this kind of configuration in place, and working.
Lots of people do exactly this. Alan DeKok.
participants (3)
-
Alan DeKok -
Charles Jones -
Joe Vieira