Active Directory/freeradius/enterasys - combination

Michael Messner michael.messner_edv at
Mon Aug 21 11:56:19 CEST 2006


 we are testing the 802.1x authentication in a small test network.
The user management works via an active directory on a Windows 2003
server, a Freeradius on a Linux machine, and the switch is an Enterasys

Windows 2003 (AD) <---> Freeradius <---> Enterasys switch <--->

The user is able to authenticate with PEAP and MD5 from a Linux and a
Windows Client. Active Directory and Freeradius (ntlm_auth) give the OK
as well.

The Enterasys switch is dynamically configured with the Policy Manager.
Therefore it is possible to define rules for various user groups, and in
the AD different user groups are defined. Now the switch needs the group
to user information from the AD with the filter ID, which normally
looks like this:

Filter-Id = "Enterasys:version=1:mgmt=su:policy=adminrole"

If I define the users on the Radius with the help of the users file it
is no problem and it works perfectly, but how can I use the information
from the AD?

The problem is that the users are correctly authenticated, but the
switch doesn't have information what to do with these users and they get
an invalid role and furthermore they don't get access to the network
(they are assigned to the default role which is a blocking role)!

We made the first tests with the IAS from Microsoft where we created
different "Remote Access Policies", and there we added the different user
groups from the AD.

I've not found anything in the Internet concerning this very matter, so
I hope someone of you can give me more information how this can be realized.


More information about the Freeradius-Users mailing list