openLDAP, freeRadius and firewall integration

Alan DeKok aland at
Thu Jun 1 13:18:18 CEST 2017

On Jun 1, 2017, at 4:09 AM, M. selcuk karaca <selcuk.karaca at> wrote:
> There is a firewall and this easily integrates with windows active directory. FW admin can easily get users and apply FW policies to these users. For example users can be banned from internet access.

  Integrates... how?

> Our aim is to implement this  with open source softwares.

  First, find out what the current system does.

> we have replaced windows active directory with openLDAP server. But we could not integrated it with FW. openLDAP just serves for authenticating users. AFAIK, There is no way to integrate openLDAP with FW.

  If the firewall does LDAP queries to AD, it can do LDAP queries to OpenLDAP.

> AFAIK, freeRadius can send accounting information to FW.


  The firewall sends accounting information to FreeRADIUS.

> we put radiusClass attribute in openLDAP user definition. and we configure freeRadius to get authentication information from openLDAP. if user logins from freeRadius then we get accounting packet including radiusClass attrbute travelling to our FW.

  The user doesn't "login from FreeRADIUS".

  FreeRADIUS never sends accounting packets to the firewall.

> FW sees accounting packet and according to radiusClass attribute can decide on internet rights


> Is this a correct configuration? Are there any better ways to implement this?

  You need to find out how your current system works.

  Alan DeKok.

More information about the Freeradius-Users mailing list