wifi users + NAS users auth against AD

Martin Pauly pauly at hrz.uni-marburg.de
Tue Jan 31 08:49:35 CET 2017

On 30.01.2017 17:49, Brian Julin wrote:
> Personally I think the best policy is not to use remote authentication servers
> for administrative switch access,
we have 400+ LAN switches, and relying on local settings is not an option for
every-day operation. We do put a local account into every switch though, in case
something goes badly wrong (there have been IOS updates with surprises in the past).

> and not to use the same password for
> administrative access to networking equipment as you do for SSO/AD
>  but that's a matter of opinion and certainly depends on institutional needs.
exactly. We used to have one redundant pair of RADIUS servers which
we used for both WiFi users and administrative auth. I had separated the
passwords using some heuristics to figure out what kind of request was
coming in. That was nice for a while, but as our network landscape got
more and more heterogenous it turned out to be complicated and error-prone.
Finally, we split this up. So I would advise you to go for a separate
set of (perhaps virtual) servers for each user auth and admin auth.
It also looks like you _could_ use AD directly from Cisco:
But putting a RADIUS server in between gives you all sorts
of control over the auth process, e.g. you could easily change
your store of admin passwords later on.

Cheers, Martin

   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5208 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170131/44608b28/attachment.bin>

More information about the Freeradius-Users mailing list