Strategy Advice
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 29 23:32:32 CEST 2008
Sturgis, Grant wrote:
> Greetings list,
>
> Brand new freeradius user here, I will try not to be too obnoxious with
> silly questions.
>
> My goal is to replace the Cisco ACS solution with Freeradius, including:
>
> 1. Shell (telnet/ssh) access to network switches/routers/firewalls
> 2. EAP-TLS to the wireless network
> 3. Potentially 802.1x auth to wired network ports
>
> I would like to use our network directory (W2K3 AD) user accounts for
> all of the above. And I would also like to be able to restrict based on
> group membership - so that only members of the "Cisco_Admin" group can
> log into switches and only members of the "wireless" group can
> authenticate to the WAPs.
>
> My questions is:
>
> Would it be wiser to pursue the mschap / ntml_auth / winbind module
> solution or the ldap module solution?
You will probably need both.
mschap/ntlm_auth/winbind are needed to authenticate peap/mschap against
active directory; LDAP cannot be used.
Conversely, LDAP is the "optimal" way of looking up groups in AD; though
on reflection, I wonder if a winbind module would be useful.
More information about the Freeradius-Users
mailing list