Freeradius and LDAP/AD integration

Antoine JOUBERT antoine at
Thu Nov 26 15:57:57 CET 2015


I've been reading through Freeradius' documentation, various howtos and 
this mailing-list archives for the past few days, and I'm still not sure 
if the architecture I'm trying to set up can be achieved, so I figured 
I'd ask here.

My company currently uses a Windows Server running Active Directory for 
user account management.

We would like to setup 802.1x for both wired and WLAN access on Windows, 
Linux, Mac, iOS and Android devices (using PEAP/MS-CHAPv2).

We have three offices where VLANs are configured. Many of our users 
frequently move between offices. A user who uses VLAN 10 when he is in 
the office A would use VLAN 20 when he is in the office B and VLAN 30 
when he is in the office C. Hence, unless I've missed something, I don't 
believe we can fully centralize our RADIUS configuration.

I'm thinking of setting up a Freeradius server in each office that 
communicates with our Active Directory to check if the user's 
credentials are valid, and then checks a local MySQL database for the  
"Tunnel-Type", "Tunnel-Medium-Type" and "Tunnel-Private-Group-Id" 
parameters for that user.

Can this be achieved ?

We'll also need to configure Mac Authentication Bypass for devices that 
do not handle 802.1x (VOIP phones, printers, etc.). Can those be 
configured locally in the same MySQL database as well ?



More information about the Freeradius-Users mailing list