openLDAP, freeRadius and firewall integration
M. selcuk karaca
selcuk.karaca at pardus.org.tr
Thu Jun 1 10:09:41 CEST 2017
Hi
let me pour more clearance. I accept that, I have still lots of things
to learn and this mail list can serve this well :)
There is a firewall and this easily integrates with windows active
directory. FW admin can easily get users and apply FW policies to these
users. For example users can be banned from internet access.
Our aim is to implement this with open source softwares.
we have replaced windows active directory with openLDAP server. But we
could not integrated it with FW. openLDAP just serves for authenticating
users. AFAIK, There is no way to integrate openLDAP with FW.
So here freeRadius comes to scene. (After this point I may be wrong,
please advice..)
AFAIK, freeRadius can send accounting information to FW. we put
radiusClass attribute in openLDAP user definition. and we configure
freeRadius to get authentication information from openLDAP. if user
logins from freeRadius then we get accounting packet including
radiusClass attrbute travelling to our FW.
FW sees accounting packet and according to radiusClass attribute can
decide on internet rigths
Is this a correct configuration? Are there any better ways to implement
this?
TIA..
n May 31, 2017, at 6:56 AM, M. selcuk karaca <selcuk.karaca at pardus.org.tr
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote:
>/We have an openLDAP server. And we want to integrate LDAP users to our
firewall. Our ultimate aim for integration is to apply FW policies
according to users. curently we are applying policies according to IP
addresses. /
That's largely how firewalls work... applying rules by users is a bit more difficult.
>/Because openLDAP server does not provide us with accounting information
sent to the FW, we have employed a freeRadius server. /
FreeRADIUS doesn't generate accounting records. It receives accounting records from a NAS or firewall.
>/But we could not trigger freeRadius accounting packages by
authenticating our users with openLDAP server. /
Because OpenLDAP doesn't generate accounting packets.
>/SO we have used libpam-radius-auth package and directly authenticated
users from freeRadius. /
Which does some accounting...
>/I want to ask whether this way is a logical one. does this have any
negative effects, not recommended etc.. />//>/what should be the correct architecture for authenticating our users
from openLDAP and provide Firewall integration for user based policies..? /
I'm not even sure what you want to do.
Your question into clear that you understand how firewalls work, how LDAP works, and how RADIUS works.
Alan DeKok.
On 31-05-2017 13:56, M. selcuk karaca wrote:
> Hi
>
> I have an architectural question and I hope I will not destroy list rules
>
> We have an openLDAP server. And we want to integrate LDAP users to
> our firewall. Our ultimate aim for integration is to apply FW policies
> according to users. curently we are applying policies according to IP
> addresses.
>
> Because openLDAP server does not provide us with accounting
> information sent to the FW, we have employed a freeRadius server.
>
> But we could not trigger freeRadius accounting packages by
> authenticating our users with openLDAP server. SO we have used
> libpam-radius-auth package and directly authenticated users from
> freeRadius.
>
> I want to ask whether this way is a logical one. does this have any
> negative effects, not recommended etc..
>
> what should be the correct architecture for authenticating our users
> from openLDAP and provide Firewall integration for user based policies..?
>
> Thanks for your guidance..
>
More information about the Freeradius-Users
mailing list