[EXTERNAL] Re: FreeRadius and Active Directory and SSSD

Winfield, Alister (Senior Solutions Architect) Alister.Winfield at sky.uk
Tue May 10 15:26:21 UTC 2022 

When asking can FreeRADIUS do something there is a simple way to look at it…

Simplified thinking process is (for Authentication):

Get an example of the RADIUS data arriving in the Authentication packets:
Using ONLY that information identify the ‘service’ and thus get the required authentication attribute(s)
(This might be delegated to something else, eg. SAMBA, depending upon the authentication mechanisms used)
Using ONLY that information / service identity get the information to fill in response attributes.
Build the policy that performs the lookups and constructs the reply.

99% of the time this just works in the 1% case there are protocol reasons that it doesn’t (eg requiring the service / user directory to hold plain text passwords for certain authentication mechanisms)

Second one that often comes up ..If the question is really asking about what the RADIUS response can configure then stop looking at RADIUS and start reading the equipment vendors documentation. RADIUS just sends attributes and values to the equipment what the equipment does with those attributes is totally in the hands of that vendor. Here be dragons because there are many, many ways in which vendors interpret / misinterpret even very old well defined RADIUS attributes.


A.


From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org> on behalf of White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users at lists.freeradius.org>
Date: Tuesday, 10 May 2022 at 14:16
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: White, Daniel E. (GSFC-770.0)[AEGIS] <daniel.e.white at nasa.gov>
Subject: [EXTERNAL] Re: FreeRadius and Active Directory and SSSD
Thanks.
Does the AD-LDAP connection provide AD groups to allow user "filtering" ?


On 5/10/22, 09:10, "Alan DeKok" <aland at deployingradius.com> wrote:

    On May 10, 2022, at 8:56 AM, White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
    >
    > I am trying to replace a Cistron RADIUS service running on a dinosaur of a Sparc Solaris 9 server before it explodes.

      Wow.  CIstron was effectively dead 20 years ago.

    > This RADIUS service is only used to access network devices (switches, routers, etc.)

      Likely only PAP then.  But you'll have to double-check the packets.  Every piece of vendor equipment does something magical and special.

    > We are moving to a centralized credentials setup with usernames/passwords in Active Directory.
    >
    > We followed this document to connect RHEL servers.
    > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F8%2Fhtml%2Fintegrating_rhel_systems_directly_with_windows_active_directory%2Findex&data=05%7C01%7Calister.winfield%40sky.uk%7Cbc0aa155fb4d49b9f71d08da32874c50%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637877853945240166%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iI5xdUlmEKWUbQqbHCDCBkopE5nrObVS3mrqAmY33Tk%3D&reserved=0
    >
    > Now we need a new RADIUS service that uses the AD credentials.

      Odds are that you can just use PAP, and connect to AD via LDAP.  And also check admin group privileges!

        if (LDAP-Group != "admin") {
                reject
        }
        ... else check passwords, etc.

      Alan DeKok.


-
List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Calister.winfield%40sky.uk%7Cbc0aa155fb4d49b9f71d08da32874c50%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637877853945240166%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jkdU2%2FDx4QH%2FWUCvviIYLRWzSvuskifCqFuIWzc0YTg%3D&reserved=0
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing at sky.uk. Thank you
--------------------------------------------------------------------
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

More information about the Freeradius-Users mailing list