FreeRADIUS integration Active Directory for switch management

Hello,

I want to setup FreeRADIUS and setup  integration with  Active Directory to allow switch management.

FreeRADIUS  will work like NPS and security group create on AD and authenticate with users in that group and allow administration of switches - not for WIFI authenticaiton (for now).

Michael
SYN ACKSnr Analyst Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
Dont know where to start?
http://distrowatch.com/dwres.php?resource=popularity
I would choose for Debian, but you are free to choose any without GUI.

Microsoft NPS is  a RADIUS protocol server like FreeRADIUS

Integration:
Then join winbindd to active directory
Then get freeradius talking to winbindd
Then get the switch

It is all very well documented on freeradius site, i dont see reason why you dont try out.
arnoldCommented:
You can, why not use the NPS from the windows platform?
You could use freeradius as the proxy.

The intergration of the mixed would mean you would need to configure the ldap component of freeradius to be able to query the AD.  Complicating matters that you would need within freeradius define the criteria, group member ship etc.  Depending on your switches, presumably you want to use the 802.1x authorize systems/users .....

and access to manage the switch....
SYN ACKSnr Analyst Author Commented:
At this moment I am configuring series of switches, which will get deploy at the remote offices. No need for 802.1x but I need to manage all my switches using centralised directory services and using freeradius because it will run on centos or ubuntu. AD is managed by another team and I don't want it change except to add users(network admins) . FreeRadius is used in my last organisation to authenticate users for 802.11 but here it's a project for the near future.  Switches to be managed before going to remote sites.
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

arnoldCommented:
That is fine, presumably you want the freeradius to query an AD server where it is to authenticate the user while within radius you will manage the group rights, or will everything has to be on the AD side with freeradius using LDAP to access the AD to query?

Alternatively, you could script an export of user/group from the AD and transfer with the complication of the passwords as they are encrypted in AD and will not be validated through the freeradius?

The confusing thing for me is the inclusion of both freeradius and AD.

You need to define the interaction if any to make things clearer.
btanExec ConsultantCommented:
FreeRADIUS supports Kerberos (with a plaintext password) and NTLM authentication (used with MS-CHAPv2). Windows clients tend to default to NTLM authentication. NTLM authentication requires that the server that is running FreeRADIUS is joined to the Active Directory realm (domain) as a member. The howto in FreeRadius shared the following use case in integrating with Active Directory
•PAP or MSCHAP authentication with FreeRADIUS and ntlm_auth
•FreeRADIUS Active Directory Integration with example for wired 802.1X
•FreeRADIUS 3 MSCHAP authentication to AD without using ntlm_auth
(can catch the second one) http://wiki.freeradius.org/guide/HOWTO#Integrating-with-Active-Directory
But specifically for user group, you likely have to use the ldap module e.g http://wiki.freeradius.org/modules/rlm_ldap#Group-Support

the use of "ntlm_auth and winbind" (for mostly PAP and MSCHAP authentication) is proven to be stable but it is stated it may have performance issues once there are more than around 30 authentications per second. The tools of "radclient" and "radtest" will be handy for testing the FreeRADIUS server by querying it directly with requests once the setup is to be tested...
SYN ACKSnr Analyst Author Commented:
Many thanks
gheistCommented:
FreeRADIUS Active Directory Integration with example for wired 802.1X

This is only one that works without reducing AD DC security
btanExec ConsultantCommented:
yap go with 802.1x / PEAP with client and NTLM with via AD calls. A guest VLAN can be offered to devices that do not support IEEE 802.1X. In other words, fall-back to a VLAN with limited connectivity. Just a note that FreeRADIUS added VMPS support in Release 2.0.0, and is currently the only actively maintained Open Source VMPS server..This support allows administrators to assign machines to a VLAN based on their MAC address too (though there is mentioned of FreeNAC in the past @ http://freenac.net/en/book/export/html/339)

There are alternative MAC address lists, Port security, Web portals or even plain simple VLAN that others may considered, but do stick with 802.1x for adequate security when one wants to control which clients and users have access to the network.

Machine authentication is most often used for Windows machines enrolled in AD, but can also be used for Mac and Linux clients. As with user authentication either EAP-TLS (machine certificate) or EAP-PEAP (the machines AD name and password) is used for machine authentication.

In case you are troubleshooting the FreeRADIUS, do refrain running radiusd -X as it provides large amounts of information and is therefore not suitable in a production environment. The accounting logs may contain useful information.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.