MIgrating ACS to Freeradius

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Nov 20 18:01:26 CET 2013


On 20 Nov 2013, at 16:23, Zafar Pravaiz <zpravaiz at aus.edu> wrote:

> Dear Community,
> 
> I am in process to replace our Cisco ACS to Freeradius for our wireless authentication and trying to achieve same functionality as ACS. Here is what i need.
> 
> 1. It should authenticate against AD.
> 2. User should be checked in specific group in AD and have specific Called-Station-id ( If Users in AD group == Students and Called-Station-ID== *SSID then Accept-Accept).

Or should be in a particular group and should be logging in from a specific SSID... Yes you can do that. See man unlang, and the LDAP-Group attribute.

There's already a stock policy called 'rewrite_called_station_id' which splits out the SSID. It's really as simple as:

server inner {
	authorize {
		rewrite_called_station_id
		ldap
		if ((LDAP-Group == Students) && (Called-Station-ID == 'student_ssid')) {
			update reply {
				Reply-Message := "Hello student!"
			}
		} else {
			reject
		}
	}
}

The complexity of dealing with the different representations of groups, and using the libldap API is all dealt with for you, if you put the correct values in the LDAP config, it just works.

> 3. There is should be multiple policy for various condition match like above.

man unlang

> 4. Default should be Reject.

man unlang

> 5. All user auth (pass/fail) should be logged in file/syslog with rejection reason.

See the linelog module.

> I have achieve only 1st point. 
> 
> Any one has done same ? is it possible in Freeradius? can someone point me to right direction or share config. 

Look, this is pretty basic stuff, there's tons of documentation on the net around LDAP groups in FreeRADIUS.

The rest is site specific policies which you need to write. No one elses config will do what you want.

The reason we have the policy language in FreeRADIUS is because there's no way we could write C modules to cover all the different deployment scenarios.

The C modules that do exist are there to allow integration with systems it would be too cumbersome to expose via the simple policy language.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team



More information about the Freeradius-Users mailing list