wifi users + NAS users auth against AD
pauly at hrz.uni-marburg.de
Tue Jan 31 08:49:35 CET 2017
On 30.01.2017 17:49, Brian Julin wrote:
> Personally I think the best policy is not to use remote authentication servers
> for administrative switch access,
we have 400+ LAN switches, and relying on local settings is not an option for
every-day operation. We do put a local account into every switch though, in case
something goes badly wrong (there have been IOS updates with surprises in the past).
> and not to use the same password for
> administrative access to networking equipment as you do for SSO/AD
> but that's a matter of opinion and certainly depends on institutional needs.
exactly. We used to have one redundant pair of RADIUS servers which
we used for both WiFi users and administrative auth. I had separated the
passwords using some heuristics to figure out what kind of request was
coming in. That was nice for a while, but as our network landscape got
more and more heterogenous it turned out to be complicated and error-prone.
Finally, we split this up. So I would advise you to go for a separate
set of (perhaps virtual) servers for each user auth and admin auth.
It also looks like you _could_ use AD directly from Cisco:
But putting a RADIUS server in between gives you all sorts
of control over the auth process, e.g. you could easily change
your store of admin passwords later on.
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5208 bytes
Desc: S/MIME Cryptographic Signature
More information about the Freeradius-Users