wifi users + NAS users auth against AD
Dear List, I have a working setup of 5 FreeRadius servers for my WIFI users. Since the NAS number is increasing in monthly basis, I am wondering what is the best practice (security) when it comes NAS user authentication: - would it be better to have a separate server for the NAS user (cisco users) authentication ? or could I have both the WiFi user auth and NAS user auth on the same server? - The WiFi auth is based on MSCHAP module (against the AD), and since MSCHAP is not possible with the NAS user authentication, I assume that I have to use NTLM with PAP to authenticate the NAS user to the AD; These setup can't be on the same server (at least binding on same ports). Am I correct? or do I have it wrong? Thank you, Regards
3 Wrote:
I am wondering what is the best practice (security) when it comes NAS user authentication:
Personally I think the best policy is not to use remote authentication servers for administrative switch access, and not to use the same password for administrative access to networking equipment as you do for SSO/AD, but that's a matter of opinion and certainly depends on institutional needs.
would it be better to have a separate server for the NAS user (cisco users) authentication ? or could I have both the WiFi user auth and NAS user auth on the same server?
You could.
The WiFi auth is based on MSCHAP module (against the AD), and since MSCHAP is not possible with the NAS user authentication, I assume that I have to use NTLM with PAP to authenticate the NAS user to the AD; These setup can't be on the same server (at least binding on same ports). Am I correct? or do I have it wrong?
You could use unlang to decide which protocols to run based on a number of factors, but unless there is a compelling reason not to use a different port number, it would probably be much easier to simply define a second server (running in the same FreeRADIUS process) and use the incoming port number to select the server with the "virtual_server" directive of the "listen" section (and not using a "virtual_server" directive in "client" sections, since that would override.) I wasn't aware administrative access on Cisco could use NTLM, except perhaps for the administrative web interface.
On 30.01.2017 17:49, Brian Julin wrote:
Personally I think the best policy is not to use remote authentication servers for administrative switch access, we have 400+ LAN switches, and relying on local settings is not an option for every-day operation. We do put a local account into every switch though, in case something goes badly wrong (there have been IOS updates with surprises in the past).
and not to use the same password for administrative access to networking equipment as you do for SSO/AD but that's a matter of opinion and certainly depends on institutional needs. exactly. We used to have one redundant pair of RADIUS servers which we used for both WiFi users and administrative auth. I had separated the passwords using some heuristics to figure out what kind of request was coming in. That was nice for a while, but as our network landscape got more and more heterogenous it turned out to be complicated and error-prone. Finally, we split this up. So I would advise you to go for a separate set of (perhaps virtual) servers for each user auth and admin auth. It also looks like you _could_ use AD directly from Cisco: https://rbgeek.wordpress.com/2013/01/14/authenticate-the-cisco-devices-using... But putting a RADIUS server in between gives you all sorts of control over the auth process, e.g. you could easily change your store of admin passwords later on.
Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (3)
-
3@D4rkn3ss DuMb -
Brian Julin -
Martin Pauly