PEAP/802.1x AD authentication for network access working, can AD-LDAP group search work for switch management authorization?
Alan DeKok
aland at deployingradius.com
Tue Feb 26 10:14:20 CET 2008
Charles Jones wrote:
> Now that I have that working, I am researching how to extend the
> FreeRADIUS server to provide LDAP-based authorization for privileged
> level access into the switches as well. I would prefer to simply do
> an LDAP search to determine if the given user is located inside a
> specific AD group, and base the authorization request on the response
> from that query.
In the "users" file, do:
DEFAULT LDAP-Group == "foo"
Reply-Message = "This worked",
... reply with more stuff ...
> In the interest of keeping my request simple, I am looking to
> accomplish the following:
> 1. Keep my current 802.1x PEAP port-based-auth working.
There's no need to change it.
> 2. Add in the functionality to control privileged access to Cisco
> devices based on group membership in our AD domain.
You can configure any policies, and any response attributes, based in
LDAP-Group checking.
> Before I get neck-deep in testing out configs and debugging, I would
> like to ask if this is a feasible goal. If it is, I would appreciate
> any relevant references you know of so that I may start researching
> the proper configuration changes needed to achieve this. In addition,
> I'd like to know if anyone out there has this kind of configuration in
> place, and working.
Lots of people do exactly this.
Alan DeKok.
More information about the Freeradius-Users
mailing list