Freeradius and LDAP/AD integration

Alan DeKok aland at deployingradius.com
Thu Nov 26 16:33:20 CET 2015


On Nov 26, 2015, at 9:57 AM, Antoine JOUBERT <antoine at joubert.ninja> wrote:
> My company currently uses a Windows Server running Active Directory for user account management.
> 
> We would like to setup 802.1x for both wired and WLAN access on Windows, Linux, Mac, iOS and Android devices (using PEAP/MS-CHAPv2).

  That's a common scenario.

> We have three offices where VLANs are configured. Many of our users frequently move between offices. A user who uses VLAN 10 when he is in the office A would use VLAN 20 when he is in the office B and VLAN 30 when he is in the office C. Hence, unless I've missed something, I don't believe we can fully centralize our RADIUS configuration.

  You should be able to.  Just separate the user credential checking from the VLAN assignment.

	if (office A) {
		set VLAN 10
	}
	if (office B) {
		set VLAN 20
	}

  etc.

> I'm thinking of setting up a Freeradius server in each office that communicates with our Active Directory to check if the user's credentials are valid, and then checks a local MySQL database for the  "Tunnel-Type", "Tunnel-Medium-Type" and "Tunnel-Private-Group-Id" parameters for that user.

  That wouldn't apply the rules per office.

> Can this be achieved ?

  Yes.

> We'll also need to configure Mac Authentication Bypass for devices that do not handle 802.1x (VOIP phones, printers, etc.). Can those be configured locally in the same MySQL database as well ?

  Yes.

  The problem (as always) is to write down what you want to happen, and when.  Use simple English to write the rules.  Then, organize the rules, and translate them into "unlang" policy.

  *Don't* try to do anything in MySQL until you understand what rules you're implementing.  If you start off by poking MySQL, you won't know what your end goal is, and you won't make any progress towards that goal.

  Alan DeKok.




More information about the Freeradius-Users mailing list