Sturgis, Grant wrote:
Greetings list,
Brand new freeradius user here, I will try not to be too obnoxious with
silly questions.
My goal is to replace the Cisco ACS solution with Freeradius, including:
1. Shell (telnet/ssh) access to network switches/routers/firewalls
2. EAP-TLS to the wireless network
3. Potentially 802.1x auth to wired network ports
I would like to use our network directory (W2K3 AD) user accounts for
all of the above. And I would also like to be able to restrict based on
group membership - so that only members of the "Cisco_Admin" group can
log into switches and only members of the "wireless" group can
authenticate to the WAPs.
My questions is:
Would it be wiser to pursue the mschap / ntml_auth / winbind module
solution or the ldap module solution?
You will probably need both.
mschap/ntlm_auth/winbind are needed to authenticate peap/mschap against
active directory; LDAP cannot be used.
Conversely, LDAP is the "optimal" way of looking up groups in AD; though
on reflection, I wonder if a winbind module would be useful.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
