best practice for combination freeradius -- active directory?

ho nospam at berwicke.de
Fri Oct 7 19:12:18 CEST 2005 

Hi all,

i need some more ideas for doing a good, stable and easy to use connection between freeradius and Active Directory.

first of all a little bit of our configuration and history:

i've set up a freeradius server for authentication/authorization/accounting of dsl-dial-in user on a cisco asa.
it works very well:

- local (Auth-type = system) authentication on a linux box
- authorisation (especially cisco acl's)
- mysql-db -- accounting (this is my favourite feature!!!!!)



a new requirement was given to make a connection between the asa and our central authentication: Active Directory. AD is a must in our company. 

first there were many thoughts in my brain, then i decided to use a NIS-Master-Client combination to do this stuff (it was the easiest way for me to implement).

-> freeradius-server is the NIS-client, so Auth-Type = system still remains
-> the AD-Servers have installed MS SFU (Services for Unix) with a NIS-Master Server.


Everything works well ... but the procedure to get the AD-Users into the SFU-NIS-Master-Server seems to be a little bit tricky, particularly the password stuff (it must be changed in the AD at the first time it was brought into SFU although it was synchronized !!??) 
I think, this is a solution for 1-100 Users, but not for 2000 and this is our aim.

a LDAP-Server is not planned in our company.

So now my questions:
----------------------------

- has anybody implemented a similar system?

- what could be a alternative/better way to make a connection between freeradius and the AD-Servers only for password-authentication? Authorization and Accounting still remains on the linux-box

- I've heard from our AD-God's ;-) that kerberos is used in the AD-system and that it could be a way?
---> has anybody tried this?



I would be glad for any idea or hints.


Thank you.








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051007/aee81c52/attachment.html>

More information about the Freeradius-Users mailing list