FreeRADIUS integration Active Directory for switch management
Hello,
I want to setup FreeRADIUS and setup integration with Active Directory to allow switch management.
FreeRADIUS will work like NPS and security group create on AD and authenticate with users in that group and allow administration of switches - not for WIFI authenticaiton (for now).
Michael
I want to setup FreeRADIUS and setup integration with Active Directory to allow switch management.
FreeRADIUS will work like NPS and security group create on AD and authenticate with users in that group and allow administration of switches - not for WIFI authenticaiton (for now).
Michael
You can, why not use the NPS from the windows platform?
You could use freeradius as the proxy.
The intergration of the mixed would mean you would need to configure the ldap component of freeradius to be able to query the AD. Complicating matters that you would need within freeradius define the criteria, group member ship etc. Depending on your switches, presumably you want to use the 802.1x authorize systems/users .....
and access to manage the switch....
You could use freeradius as the proxy.
The intergration of the mixed would mean you would need to configure the ldap component of freeradius to be able to query the AD. Complicating matters that you would need within freeradius define the criteria, group member ship etc. Depending on your switches, presumably you want to use the 802.1x authorize systems/users .....
and access to manage the switch....
ASKER
At this moment I am configuring series of switches, which will get deploy at the remote offices. No need for 802.1x but I need to manage all my switches using centralised directory services and using freeradius because it will run on centos or ubuntu. AD is managed by another team and I don't want it change except to add users(network admins) . FreeRadius is used in my last organisation to authenticate users for 802.11 but here it's a project for the near future. Switches to be managed before going to remote sites.
That is fine, presumably you want the freeradius to query an AD server where it is to authenticate the user while within radius you will manage the group rights, or will everything has to be on the AD side with freeradius using LDAP to access the AD to query?
Alternatively, you could script an export of user/group from the AD and transfer with the complication of the passwords as they are encrypted in AD and will not be validated through the freeradius?
The confusing thing for me is the inclusion of both freeradius and AD.
You need to define the interaction if any to make things clearer.
Alternatively, you could script an export of user/group from the AD and transfer with the complication of the passwords as they are encrypted in AD and will not be validated through the freeradius?
The confusing thing for me is the inclusion of both freeradius and AD.
You need to define the interaction if any to make things clearer.
FreeRADIUS supports Kerberos (with a plaintext password) and NTLM authentication (used with MS-CHAPv2). Windows clients tend to default to NTLM authentication. NTLM authentication requires that the server that is running FreeRADIUS is joined to the Active Directory realm (domain) as a member. The howto in FreeRadius shared the following use case in integrating with Active Directory
•PAP or MSCHAP authentication with FreeRADIUS and ntlm_auth
•FreeRADIUS Active Directory Integration with example for wired 802.1X
•FreeRADIUS 3 MSCHAP authentication to AD without using ntlm_auth
(can catch the second one) http://wiki.freeradius.org/guide/HOWTO#Integrating-with-Active-Directory
But specifically for user group, you likely have to use the ldap module e.g http://wiki.freeradius.org/modules/rlm_ldap#Group-Support
the use of "ntlm_auth and winbind" (for mostly PAP and MSCHAP authentication) is proven to be stable but it is stated it may have performance issues once there are more than around 30 authentications per second. The tools of "radclient" and "radtest" will be handy for testing the FreeRADIUS server by querying it directly with requests once the setup is to be tested...
•PAP or MSCHAP authentication with FreeRADIUS and ntlm_auth
•FreeRADIUS Active Directory Integration with example for wired 802.1X
•FreeRADIUS 3 MSCHAP authentication to AD without using ntlm_auth
(can catch the second one) http://wiki.freeradius.org/guide/HOWTO#Integrating-with-Active-Directory
But specifically for user group, you likely have to use the ldap module e.g http://wiki.freeradius.org/modules/rlm_ldap#Group-Support
the use of "ntlm_auth and winbind" (for mostly PAP and MSCHAP authentication) is proven to be stable but it is stated it may have performance issues once there are more than around 30 authentications per second. The tools of "radclient" and "radtest" will be handy for testing the FreeRADIUS server by querying it directly with requests once the setup is to be tested...
ASKER
Many thanks
FreeRADIUS Active Directory Integration with example for wired 802.1X
This is only one that works without reducing AD DC security
This is only one that works without reducing AD DC security
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://distrowatch.com/dwres.php?resource=popularity
I would choose for Debian, but you are free to choose any without GUI.
Microsoft NPS is a RADIUS protocol server like FreeRADIUS
Integration:
Then join winbindd to active directory
Then get freeradius talking to winbindd
Then get the switch
It is all very well documented on freeradius site, i dont see reason why you dont try out.