openLDAP, freeRadius and firewall integration

Lasse Odden lasse.odden at gmail.com
Thu Jun 1 10:33:01 CEST 2017


As far as I know, the most firewalls I've been using do a check for
usermemberships and stores it temporary, and checks every 5 or 15 min for
changes.
An ldap group is then assigned to an access-rule.
The Firewalls read log-files on the domain-controllers to assign user-to-IP.
I do not think FreeRADIUS can help you out here.
What kind of firewall are you using btw?

Regards,
Lasse Odden

On Thu, Jun 1, 2017 at 10:09 AM, M. selcuk karaca <
selcuk.karaca at pardus.org.tr> wrote:

> Hi
>
> let me pour more clearance. I accept that, I have still lots of things to
> learn and this mail list can serve this well :)
>
>
> There is a firewall and this easily integrates with windows active
> directory. FW admin can easily get users and apply FW policies to these
> users. For example users can be banned from internet access.
>
>
> Our aim is to implement this  with open source softwares.
>
> we have replaced windows active directory with openLDAP server. But we
> could not integrated it with FW. openLDAP just serves for authenticating
> users. AFAIK, There is no way to integrate openLDAP with FW.
>
>
> So here freeRadius comes to scene. (After this point I may be wrong,
> please advice..)
>
>
> AFAIK, freeRadius can send accounting information to FW. we put
> radiusClass attribute in openLDAP user definition. and we configure
> freeRadius to get authentication information from openLDAP. if user logins
> from freeRadius then we get accounting packet including radiusClass
> attrbute travelling to our FW.
>
> FW sees accounting packet and according to radiusClass attribute can
> decide on internet rigths
>
>
> Is this a correct configuration? Are there any better ways to implement
> this?
>
> TIA..
>
>
>
>
>
>
> n May 31, 2017, at 6:56 AM, M. selcuk karaca <selcuk.karaca at
> pardus.org.tr <http://lists.freeradius.org/mailman/listinfo/freeradius-use
> rs>> wrote:
>
>> /We have an openLDAP server. And we want to integrate LDAP users to our
>>
> firewall. Our ultimate aim for integration is to apply FW policies
> according to users. curently we are applying policies according to IP
> addresses. /
>   That's largely how firewalls work... applying rules by users is a bit
> more difficult.
>
> /Because openLDAP server does not provide us with accounting information
>>
> sent to the FW, we have employed a freeRadius server. /
>   FreeRADIUS doesn't generate accounting records.  It receives accounting
> records from a NAS or firewall.
>
> /But we could not trigger freeRadius accounting packages by
>>
> authenticating our users with openLDAP server. /
>   Because OpenLDAP doesn't generate accounting packets.
>
> /SO we have used libpam-radius-auth package and directly authenticated
>>
> users from freeRadius. /
>   Which does some accounting...
>
> /I want to ask whether this way is a logical one. does this have any
>>
> negative effects, not recommended etc.. />//>/what should be the correct
> architecture for authenticating our users from openLDAP and provide
> Firewall integration for user based policies..? /
>   I'm not even sure what you want to do.
>
>   Your question into clear that you understand how firewalls work, how
> LDAP works, and how RADIUS works.
>
>   Alan DeKok.
>
>
>
>
> On 31-05-2017 13:56, M. selcuk karaca wrote:
>
>> Hi
>>
>> I have an architectural question and I hope I will not destroy list rules
>>
>> We have an openLDAP server. And we want to integrate  LDAP users to our
>> firewall. Our ultimate aim for integration is to apply FW policies
>> according to users. curently we are applying policies according to IP
>> addresses.
>>
>> Because openLDAP server does not provide us with accounting information
>> sent to the FW, we have employed a freeRadius server.
>>
>> But we could not trigger freeRadius accounting packages by authenticating
>> our users with openLDAP server. SO we have used libpam-radius-auth package
>> and directly authenticated users from freeRadius.
>>
>> I want to ask whether this way is a logical one. does this have any
>> negative effects, not recommended etc..
>>
>> what should be the correct architecture for authenticating our users from
>> openLDAP and provide Firewall integration for user based policies..?
>>
>> Thanks for your guidance..
>>
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html
>


More information about the Freeradius-Users mailing list