Greetings list, Brand new freeradius user here, I will try not to be too obnoxious with silly questions. My goal is to replace the Cisco ACS solution with Freeradius, including: 1. Shell (telnet/ssh) access to network switches/routers/firewalls 2. EAP-TLS to the wireless network 3. Potentially 802.1x auth to wired network ports I would like to use our network directory (W2K3 AD) user accounts for all of the above. And I would also like to be able to restrict based on group membership - so that only members of the "Cisco_Admin" group can log into switches and only members of the "wireless" group can authenticate to the WAPs. My questions is: Would it be wiser to pursue the mschap / ntml_auth / winbind module solution or the ldap module solution? I am guessing that this has been done in the past, right? Does anyone have any anecdotes that would be helpful? Thanks in advance, Grant ----------------- Pardon this rubbish: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
Sturgis, Grant wrote:
Greetings list,
Brand new freeradius user here, I will try not to be too obnoxious with silly questions.
My goal is to replace the Cisco ACS solution with Freeradius, including:
1. Shell (telnet/ssh) access to network switches/routers/firewalls 2. EAP-TLS to the wireless network 3. Potentially 802.1x auth to wired network ports
I would like to use our network directory (W2K3 AD) user accounts for all of the above. And I would also like to be able to restrict based on group membership - so that only members of the "Cisco_Admin" group can log into switches and only members of the "wireless" group can authenticate to the WAPs.
My questions is:
Would it be wiser to pursue the mschap / ntml_auth / winbind module solution or the ldap module solution?
You will probably need both. mschap/ntlm_auth/winbind are needed to authenticate peap/mschap against active directory; LDAP cannot be used. Conversely, LDAP is the "optimal" way of looking up groups in AD; though on reflection, I wonder if a winbind module would be useful.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, |> 1. Shell (telnet/ssh) access to network switches/routers/firewalls |> on group membership - so that only members of the "Cisco_Admin" group |> can log into switches and only members of the "wireless" group can |> authenticate to the WAPs. Don't know if this is an issue for you, but: Cisco equipment does not support command authorization via RADIUS (*any* RADIUS...) [for pure business greed reasons]. So if you really need per-command authorization, you'll have to stick with TACACS+ which, sadly, is well catered by ACS. Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFIGAi++jm90f8eFWYRAnJvAJ9V2HwVoJu0Kfal4ykWqdlQNqBgyQCcC7kB 9of3qWSyWiui+xnFno+qk/E= =mTSB -----END PGP SIGNATURE-----
Stefan Winter wrote:
Don't know if this is an issue for you, but: Cisco equipment does not support command authorization via RADIUS (*any* RADIUS...) [for pure business greed reasons]. So if you really need per-command authorization, you'll have to stick with TACACS+ which, sadly, is well catered by ACS.
There's a tacp2rad program which hasn't been maintained... but it works. Adding that to the FreeRADIUS portfolio wouldn't be hard, if there was a demand for it. Alan DeKok.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan DeKok schrieb: | Stefan Winter wrote: |> Don't know if this is an issue for you, but: Cisco equipment does not |> support command authorization via RADIUS (*any* RADIUS...) [for pure |> business greed reasons]. So if you really need per-command |> authorization, you'll have to stick with TACACS+ which, sadly, is well |> catered by ACS. | | There's a tacp2rad program which hasn't been maintained... but it works. | | Adding that to the FreeRADIUS portfolio wouldn't be hard, if there was | a demand for it. demand++ :-) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFIGBMD+jm90f8eFWYRApP1AJkBia5nE6wa/xu5eQL3k9uqQWNEzgCghJLO uFhl2X7ms0zfCNmdiNpTDrY= =Iw6w -----END PGP SIGNATURE-----
Alan DeKok wrote:
Stefan Winter wrote:
Don't know if this is an issue for you, but: Cisco equipment does not support command authorization via RADIUS (*any* RADIUS...) [for pure business greed reasons]. So if you really need per-command authorization, you'll have to stick with TACACS+ which, sadly, is well catered by ACS.
There's a tacp2rad program which hasn't been maintained... but it works.
Adding that to the FreeRADIUS portfolio wouldn't be hard, if there was a demand for it.
I'd find that useful, many of the more advanced command ACLs on HP kit can only be accessed when authenticating against a TACACS+ server.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Hi,
Don't know if this is an issue for you, but: Cisco equipment does not support command authorization via RADIUS (*any* RADIUS...) [for pure business greed reasons]. So if you really need per-command authorization, you'll have to stick with TACACS+ which, sadly, is well catered by ACS.
you can still ditch the ACS and use tac_plus daemon on the same box that freeradius is running on...... alan
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Phil Mayers -
Stefan Winter -
Sturgis, Grant