PEAP/802.1x AD authentication for network access working, can AD-LDAP group search work for switch management authorization?

[Charles Jones]

Hello all,

I am relatively new to the RADIUS world, FreeRADIUS is my first RADIUS
server, I am looking forward to learning as much as I can about it.

So far, I have configured FreeRADIUS successfully to authenticate
users against a Windows 2003 Active Directory server for 802.1x PEAP
port-based-authentication using Cisco Catalyst switches.  I used the
ntlm_auth technique for the authentication side.

Now that I have that working, I am researching how to extend the
FreeRADIUS server to provide LDAP-based authorization for privileged
level access into the switches as well.  I would prefer to simply do
an LDAP search to determine if the given user is located inside a
specific AD group, and base the authorization request on the response
from that query.  I've looked through the rlm_ldap docs on the
freeradius wiki, as well as a few other tutorials out on the web.
However, I haven't seen anyone who is simply trying to authorize (not
authenticate) based on group-membership in AD.  I would prefer to
avoid having to store any passwords in the LDAP database if at all
possible.

In the interest of keeping my request simple, I am looking to
accomplish the following:
1.  Keep my current 802.1x PEAP port-based-auth working.
2.  Add in the functionality to control privileged access to Cisco
devices based on group membership in our AD domain.

Before I get neck-deep in testing out configs and debugging, I would
like to ask if this is a feasible goal.  If it is, I would appreciate
any relevant references you know of so that I may start researching
the proper configuration changes needed to achieve this.  In addition,
I'd like to know if anyone out there has this kind of configuration in
place, and working.

Thanks for your time,

Charles