wifi users + NAS users auth against AD

Martin Pauly pauly at hrz.uni-marburg.de
Tue Jan 31 08:49:35 CET 2017


On 30.01.2017 17:49, Brian Julin wrote:
> Personally I think the best policy is not to use remote authentication servers
> for administrative switch access,
we have 400+ LAN switches, and relying on local settings is not an option for
every-day operation. We do put a local account into every switch though, in case
something goes badly wrong (there have been IOS updates with surprises in the past).

> and not to use the same password for
> administrative access to networking equipment as you do for SSO/AD
>  but that's a matter of opinion and certainly depends on institutional needs.
exactly. We used to have one redundant pair of RADIUS servers which
we used for both WiFi users and administrative auth. I had separated the
passwords using some heuristics to figure out what kind of request was
coming in. That was nice for a while, but as our network landscape got
more and more heterogenous it turned out to be complicated and error-prone.
Finally, we split this up. So I would advise you to go for a separate
set of (perhaps virtual) servers for each user auth and admin auth.
It also looks like you _could_ use AD directly from Cisco:
https://rbgeek.wordpress.com/2013/01/14/authenticate-the-cisco-devices-using-active-directory/
But putting a RADIUS server in between gives you all sorts
of control over the auth process, e.g. you could easily change
your store of admin passwords later on.

Cheers, Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5208 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170131/44608b28/attachment.bin>


More information about the Freeradius-Users mailing list