FreeRADIUS + Cisco + Active Directory

Alan DeKok aland at deployingradius.com
Mon Dec 28 23:04:39 CET 2015


On Dec 28, 2015, at 3:45 PM, Rashad Hall <trynot24 at gmail.com> wrote:
> I am pretty sure my approach to this is all wrong so I've decided to seek
> the help of the experts.

  That's always useful.

> I have configured a FreeRADIUS server that authenticates our wifi users
> with EAP-TLS and will also authenticate users for our network devices.

  OK.

> Our
> network devices are mainly Cisco and I need these devices to authenticate
> users based on their Active Directory credentials.

  Then you can't do EAP-TLS.  EAP-TLS is certificate authentication.  There is no password.  So you can't check the password against AD... because the password isn't in EAP-TLS.

> Wifi portion is
> complete, but having trouble with using FreeRADIUS to check AD credentials
> correctly.

  See http://deployingradius.com

  It has guides to Active Directory and EAP.

> I decided to use MSCHAP (my mistake I believe) for
> Authentication

  Which isn't an EAP method, and can't be used for 802.1X authentication.

> and my "radtests" are successful, but when trying to log
> into a switch I set up for testing I am unsuccessful.

  Run the server in debugging mode to see why.

> I believe the switch
> only uses PAP and does not have the capability to use MSCHAP but I am
> unsure of how to set up PAP to query AD or somehow convert the PAP request
> into an MSCHAP request server side.

  See http://deployingradius.com

> Can anyone tell me the best most secure
> approach to accomplishing my goal (if possible, I must suck at Googling)?

  http://deployingradius.com

  It's been up for 10 years now.

> In the future I'd also like to assign Cisco priv levels based on groups a
> user belongs to in AD. Below is debug output showing first a successful
> radtest and then the unsuccessful login into the switch.
> 
> radiusd -X

  You've massively edited the configuration files and broken the server.  Don't do that.

  Start with the default configuration, and then follow the guide from my web page.

  Alan DeKok.




More information about the Freeradius-Users mailing list