migrate from Cisco ACS
Dear FreeRADIUS users, I am a radius newbie. Please could anybody point me at a ref for migrating from Cisco ACS server. I'd specifically like to understand how I can get FreeRADIUS to reply to my switches,firewalls,VPN and wireless controller with the right/appropriate data. for example, if, on the current ACS server, i set the host where 'radtest' lives to... "authenticate using" -> "RADIUS (Cisco aironet)", ...I get back the correct wireless vlan info. If I then set it to authenticate using "RADIUS (VPN 3000)", I don't get back the vlan info but the Cisco-AVPair = "shell:priv-lvl=15" response is present. In addition, I'd like to determine how I can restrict access to specific groups through specific devices. I'll be using both ldap and mysql for user info Thanks for any pointers rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 07776 210516
Rob Shepherd <rob@techniumcast.com> wrote:
Please could anybody point me at a ref for migrating from Cisco ACS server.
There's no real documentation for that specific purpose.
I'd specifically like to understand how I can get FreeRADIUS to reply to my switches,firewalls,VPN and wireless controller with the right/appropriate data.
See the documentation for how to look for attributes in the request, and respond with other attributes.
for example, if, on the current ACS server, i set the host where 'radtest' lives to...
"authenticate using" -> "RADIUS (Cisco aironet)",
...I get back the correct wireless vlan info. If I then set it to authenticate using "RADIUS (VPN 3000)", I don't get back the vlan info but the Cisco-AVPair = "shell:priv-lvl=15" response is present.
You will have to configure the "users" file to send these response. Use the existing responses ACS sends as the template for the FreeRADIUS responses. Unlike ACS, FreeRADIUS doesn't have a magic GUI that sets all of these values on your behalf. You have to do much of that yourself. Alan DeKok.
Rob Shepherd wrote:
Dear FreeRADIUS users,
I am a radius newbie.
Please could anybody point me at a ref for migrating from Cisco ACS server.
I'd specifically like to understand how I can get FreeRADIUS to reply to my switches,firewalls,VPN and wireless controller with the right/appropriate data.
for example, if, on the current ACS server, i set the host where 'radtest' lives to...
"authenticate using" -> "RADIUS (Cisco aironet)",
...I get back the correct wireless vlan info. If I then set it to authenticate using "RADIUS (VPN 3000)", I don't get back the vlan info but the Cisco-AVPair = "shell:priv-lvl=15" response is present.
In addition, I'd like to determine how I can restrict access to specific groups through specific devices.
I'll be using both ldap and mysql for user info
Take a look at doc/Autz-Type. The basic recipe is: 1. Use the "huntgroups" file to group your NASes (e.g. into wireless, VPN, switches, routers, etc.) 2. In the "users" file, match on Huntgroup-Name and set Autz-Type 3. In the "authorize" section of "radiusd.conf", define a sub-section for each service, with any modules needed e.g.: authorize { # top-level preprocess files # per-service Autz-Type VPN { # modules here } } Some care is needed if you need an authentication module twice e.g. if wireless needs mschap against a domain but VPN needs mschap against plaintext passwords, but it's relatively easy. The key is to remember you can have >1 instance of a module (e.g. see the "passwd" modules in the default radiusd.conf)
for example, if, on the current ACS server, i set the host where 'radtest' lives to...
"authenticate using" -> "RADIUS (Cisco aironet)",
...I get back the correct wireless vlan info. If I then set it to authenticate using "RADIUS (VPN 3000)", I don't get back the vlan info but the Cisco-AVPair = "shell:priv-lvl=15" response is present.
The "users" file will help you design such rules. First you might find useful to group your devices by IP addresses with the _huntgroup_ file. Then your rules in "users" might _look_like_: DEFAULT Huntgroup-Name == Aironet, Ldap-Group == Managers Tunnel-Private-Group-Id = "100" DEFAULT Huntgroup-Name == Aironet, Ldap-Group == Users Tunnel-Private-Group-Id = "101" DEFAULT Huntgroup-Name == VPN, Ldap-Group == Managers Tunnel-Private-Group-Id = "shell:priv-lvl=15" DEFAULT Huntgroup-Name == VPN, Ldap-Group == Users Tunnel-Private-Group-Id = "shell:priv-lvl=7" See in the doc/processing_users_file and the samples from the users file in the distro (first line in check-items, the following are reply attributes/value pairs). The doc/aaa.txt file is very valuable as well.
In addition, I'd like to determine how I can restrict access to specific groups through specific devices.
I'll be using both ldap and mysql for user info
See doc/rlm_ldap for ldap details. HTH, Thibault
Thanks to... Alan DeKok Phil Mayers Thibault Le Meur Excellent pointers guys! Thanks for your help Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 07776 210516
participants (4)
-
Alan DeKok -
Phil Mayers -
Rob Shepherd -
Thibault Le Meur