Hello all, I am relatively new to the RADIUS world, FreeRADIUS is my first RADIUS server, I am looking forward to learning as much as I can about it.
So far, I have configured FreeRADIUS successfully to authenticate users against a Windows 2003 Active Directory server for 802.1x PEAP port-based-authentication using Cisco Catalyst switches. I used the ntlm_auth technique for the authentication side. Now that I have that working, I am researching how to extend the FreeRADIUS server to provide LDAP-based authorization for privileged level access into the switches as well. I would prefer to simply do an LDAP search to determine if the given user is located inside a specific AD group, and base the authorization request on the response from that query. I've looked through the rlm_ldap docs on the freeradius wiki, as well as a few other tutorials out on the web. However, I haven't seen anyone who is simply trying to authorize (not authenticate) based on group-membership in AD. I would prefer to avoid having to store any passwords in the LDAP database if at all possible. In the interest of keeping my request simple, I am looking to accomplish the following: 1. Keep my current 802.1x PEAP port-based-auth working. 2. Add in the functionality to control privileged access to Cisco devices based on group membership in our AD domain. Before I get neck-deep in testing out configs and debugging, I would like to ask if this is a feasible goal. If it is, I would appreciate any relevant references you know of so that I may start researching the proper configuration changes needed to achieve this. In addition, I'd like to know if anyone out there has this kind of configuration in place, and working. Thanks for your time, Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
