Hi all,
i need some more ideas for doing a good, stable and
easy to use connection between freeradius and Active Directory.
first of all a little bit of our configuration and
history:
i've set up a freeradius server for
authentication/authorization/accounting of dsl-dial-in user on a cisco
asa.
it works very well:
- local (Auth-type = system) authentication on a
linux box
- authorisation (especially cisco
acl's)
- mysql-db -- accounting (this is my favourite
feature!)
a new requirement was given to make a connection
between the asa and our central authentication: Active Directory. AD is a
must in our company.
first there were many thoughts in my brain, then i
decided to use a NIS-Master-Client combination to do this stuff (it was the
easiest way for me to implement).
-> freeradius-server is the NIS-client, so
Auth-Type = system still remains
-> the AD-Servers have installed MS SFU
(Services for Unix) with a NIS-Master Server.
Everything works well ... but the procedure to get
the AD-Users into the SFU-NIS-Master-Server seems to be a little bit tricky,
particularly the password stuff (it must be changed in the AD at the first
time it was brought into SFU although it was synchronized !!??)
I think, this is a solution for 1-100 Users, but
not for 2000 and this is our aim.
a LDAP-Server is not planned in our
company.
So now my questions:
- has anybody implemented a similar
system?
- what could be a alternative/better way to make a
connection between freeradius and the AD-Servers only for
password-authentication? Authorization and Accounting still remains on the
linux-box
- I've heard from our AD-God's ;-) that kerberos is
used in the AD-system and that it could be a way?
---> has anybody tried this?
I would be glad for any idea or hints.
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
