Cisco IOS authentication to Freeradius that is linked to AD

Alan DeKok aland at deployingradius.com
Fri Feb 22 17:08:41 CET 2019


On Feb 22, 2019, at 11:00 AM, Greg Stuart <gstuart at portageps.org> wrote:
> I am new to freeradius so please go easy on me :) Here is what I am trying
> to do.  I am trying to get my Cisco switches to authenticate a user with
> full permissions "lvl 15" by using freeradius that is linked to AD.  Using
> AD credentials
> 
> Below are the configs:

  We don't need to see the switch config or debug output.  The FreeRADIUS debug log shows everything we need.

> Server Info:FreeRadius server running on Ubuntu 18.04 LTS
> 
> tcpdump:
...
> Tail of Radius Log:

  We don't need those, either.

  You get a message when you join the list.  That message tells you what we *do* need, and what you *should not* post.  Please read it.

> freeradius -X output:
> eady to process requests
> (0) Received Access-Request Id 11 from 192.168.160.47:1645 to

  With lots of stuff deleted...

> Any help would be appreciated.  Again what I am trying to do,  is log into
> a cisco switch using my AD credentials.  I have a freeradius server that is
> linked to AD.  The link to AD has been confirmed to work.

  What do you mean "linked to AD"?  That the FreeRADIUS machine has joined the AD domain?

  That's nice, but FreeRADIUS doesn't know that.  There's no magic in the server (or OS) saying "look users up in AD"

  The issuer here is that you haven't configured FreeRADIUS to do anything with AD.  i.e. it doesn't use LDAP or ntlm_auth to authenticate the users.  That's why it's rejecting the users.

  Please read my documentation on AD integration:  http://deployingradius.com/documents/configuration/active_directory.html

  If you look through the config files for "Active Directory", you will see a number of comments with what to do, and what to configure.  Those should help, too.

  Alan DeKok.




More information about the Freeradius-Users mailing list