wifi users + NAS users auth against AD

Brian Julin BJulin at clarku.edu
Mon Jan 30 17:49:03 CET 2017

3 Wrote:
> I am wondering what is the best practice (security) when it comes NAS user
> authentication:

Personally I think the best policy is not to use remote authentication servers
for administrative switch access, and not to use the same password for
administrative access to networking equipment as you do for SSO/AD, but
that's a matter of opinion and certainly depends on institutional needs.

> would it be better to have a separate server for the NAS user
> (cisco users) authentication ? or could I have both the WiFi user auth
> and NAS user auth on the same server?

You could.

>The WiFi auth is based on MSCHAP module (against the AD), and since
> MSCHAP is not possible with the NAS user authentication, I assume that
> I have to use NTLM with PAP to authenticate the NAS user to the AD;
> These setup can't be on the same server (at least binding on same
> ports). Am  I correct? or do I have it wrong?

You could use unlang to decide which protocols to run based on a number
of factors, but unless there is a compelling reason not to use a different
port number, it would probably be much easier to simply define a second
server (running in the same FreeRADIUS process) and use the incoming
port number to select the server with the "virtual_server" directive of the
"listen" section (and not using a  "virtual_server" directive in "client"
sections, since that would override.)

I wasn't aware administrative access on Cisco could use NTLM, except
perhaps for the administrative web interface.

More information about the Freeradius-Users mailing list