Network authentication and password policy

Jeffrey Belles jaffa at fabfive.nl
Wed Mar 23 21:03:33 CET 2011


Gary,
Thanks for your swift reply. 
As said, i am completely new to radius so trying to figure it all out now. 

We have an AD forest with over 1,000 users, with only a few of them needing access to the devices. Are there possibilities to acheive this?

On the AD domain there are already password policies in place, so that would be covered. 

J



Op 23 mrt. 2011 om 20:58 heeft Gary Gatten <Ggatten at waddell.com> het volgende geschreven:

> Will you be using some backend database; LDAP, AD, eDirectory, etc.?
> 
> "Typically" RADIUS either permits or denies based on a query reply it receives from the backend system.  I don't *think* you would be allowed to change your password via RADIUS (it typically only has RO access to the DB, and I'm not even sure the RADIUS protocol supports it), but I *believe* it will pass attributes to your client that will indicate if the password is expired or not.
> 
> And yes, typical password policy requires a change every n days; sometimes as often as 30 days, sometimes every 180+
> 
> Gary
> 
> 
> -----Original Message-----
> From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Jeffrey Belles
> Sent: Wednesday, March 23, 2011 2:37 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Network authentication and password policy
> 
> Hello,
> I am new to this list and planning to deploy a radius-server. 
> Sole purpose will be to authenticate against network equipment. Mainly Juniper and cisco and Sonicwall. 
> 
> I am looking for best practice solutions for password policy. Is there any way to force network engineers to change their passwords after either first login or expiry date? 
> Having everybody manually submit passwords on the server and/or having them change it every x weeks seems a bad plan. 
> 
> Anyone any ideas?
> 
> Thx
> Rgds,
> Jeffrey
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> 
> 
> 
> <font size="1">
> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
> </div>
> "This email is intended to be reviewed by only the intended recipient
> and may contain information that is privileged and/or confidential.
> If you are not the intended recipient, you are hereby notified that
> any review, use, dissemination, disclosure or copying of this email
> and its attachments, if any, is strictly prohibited.  If you have
> received this email in error, please immediately notify the sender by
> return email and delete this email from your system."
> </font>
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list