Freeradius and LDAP/AD integration
antoine at joubert.ninja
Thu Nov 26 15:57:57 CET 2015
I've been reading through Freeradius' documentation, various howtos and
this mailing-list archives for the past few days, and I'm still not sure
if the architecture I'm trying to set up can be achieved, so I figured
I'd ask here.
My company currently uses a Windows Server running Active Directory for
user account management.
We would like to setup 802.1x for both wired and WLAN access on Windows,
Linux, Mac, iOS and Android devices (using PEAP/MS-CHAPv2).
We have three offices where VLANs are configured. Many of our users
frequently move between offices. A user who uses VLAN 10 when he is in
the office A would use VLAN 20 when he is in the office B and VLAN 30
when he is in the office C. Hence, unless I've missed something, I don't
believe we can fully centralize our RADIUS configuration.
I'm thinking of setting up a Freeradius server in each office that
communicates with our Active Directory to check if the user's
credentials are valid, and then checks a local MySQL database for the
"Tunnel-Type", "Tunnel-Medium-Type" and "Tunnel-Private-Group-Id"
parameters for that user.
Can this be achieved ?
We'll also need to configure Mac Authentication Bypass for devices that
do not handle 802.1x (VOIP phones, printers, etc.). Can those be
configured locally in the same MySQL database as well ?
More information about the Freeradius-Users