Hi All. This is my attempt at giving back to the freeradius community. Maybe others will find my configuration useful in their efforts. I'm a network guy, and I do quite a bit of consulting work for various companies. I have a customer in particular who (prior to this) was using a very out-of-date Cisco ACS Server, and couldn't afford the renewal/licensing fees to bring it uptodate. They are using Microsoft's Active Directory on Windows Server 2000 as the primary database for all identities/passwords. The goals of this configuration are: 1. Provide AAA for administrative access to network devices (mostly, SSH access to Cisco routers/switches/firewalls) 2. Provide AAA for 802.11 WLAN users who are using Windows XP and "Wireless Zero" clients. (Cisco 1231 series access points) 3. Provide AAA for VPN Users who use cisco Secure VPN client from remote locations (cisco 3000 series concentrators) The freeradius server itself will run on a CentOS 5.4 Linux box. The company doesn't like "make install" application installs (nor do I), so I simply grabbed the SRPM from the Fedora Project's KOJI build server for the latest freeradius, and built it. This process is outside the scope of this particular posting, as I want to focus on Freeradius itself. The Fedora spec file builds multiple binary packages that you can install based on what you want to do with freeradius. These are the packages I'm using: freeradius-utils-2.1.8-2 freeradius-2.1.8-2 freeradius-ldap-2.1.8-2 The company has one Active Directory forest, and one subdomain. Users exist under both. So, for this configuration, we'll call the primary zone COMPANY.COM and SUB.COMPANY.COM. Both domains must be queried for authorization & authentication. The following rules apply for access: 1. User must exist within the AD forest. (as defined by my LDAP search parameters) 2. User must be a member of a particular group (defined by the Users file) for certain types of access: a) For administrative access to network device, the user must be a member of the group networkteam. b) Access to use the VPN, user must be a member of the group vpnusers. c) Access to the Wireless network, user must be a member of group wifiusers. VPN and Network-Admin users achieve both Authorization and Authentication using nothing more than the rlm_ldap module. Wireless users do not use ldap at all, but instead, they use the eap and mschap modules. The mschap module is configured to use ntlm_auth which requires samba's winbind to be configured on the backend. It took me some time (and I will not admit how much time) to figure out how to make this all work. I blame most of this on the fact that freeradius has been around a long time, and as a result there's lots of obsolete documentation out there for google to find. I believe this configuration uses mostly uptodate syntax, however I'm always interested in feedback on how to do things better. Interestingly.. this whole process brought back a case of severe dejavu for me. I wrote a combination tacacs/radius server WAY back in the day when the Livingston Portmaster 2 series was king of dialup. Many users on the livingston mailing list used my source code. This really made me feel old. :( Anyway, on to the good stuff.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html