FreeRADIUS + Cisco + Active Directory

[Matthew Newton]

On Wed, Jan 06, 2016 at 11:03:10AM -0800, Rashad Hall wrote:
> We are seeing if we can avoid using LDAP as it requires exposing the
> credentials (to myself) used to bind to LDAP. We have audit requirements
> and our SysAdmins are the only persons who should know these credentials.

You are being told that as the RADIUS admin *you* aren't allowed
to know the credentials, or that you shouldn't be using LDAP for
authenticating users?

I read that as the former, in which case you have some really
weird audit requirements in my view. You need to find out groups
for a user - so you need access. So create an account that gives
you the access you require and get the data you need and no more.

It's not as if they have to give full admin access to LDAP to do
that, and if you have to have a domain account to read LDAP you'll
need one for reading the same data with other methods as well (of
which the only one I'm aware of is via winbind as mentioned
previously).

> With that being said we are trying to find any work around to avoid LDAP. I
> was able to find this page (
> http://blog.chapus.net/freeradius-active-directory-group-check/) where the
> author states he had a working implementation that does not use LDAP. I

That just uses Samba/winbind.

It still needs credentials to access the directory - just it's
using a machine account password rather than a user account, which
you can easily extract from Samba's secrets.tdb if you want it.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>