Charles Jones wrote: > Now that I have that working, I am researching how to extend the > FreeRADIUS server to provide LDAP-based authorization for privileged > level access into the switches as well. I would prefer to simply do > an LDAP search to determine if the given user is located inside a > specific AD group, and base the authorization request on the response > from that query.
In the "users" file, do: DEFAULT LDAP-Group == "foo" Reply-Message = "This worked", ... reply with more stuff ... > In the interest of keeping my request simple, I am looking to > accomplish the following: > 1. Keep my current 802.1x PEAP port-based-auth working. There's no need to change it. > 2. Add in the functionality to control privileged access to Cisco > devices based on group membership in our AD domain. You can configure any policies, and any response attributes, based in LDAP-Group checking. > Before I get neck-deep in testing out configs and debugging, I would > like to ask if this is a feasible goal. If it is, I would appreciate > any relevant references you know of so that I may start researching > the proper configuration changes needed to achieve this. In addition, > I'd like to know if anyone out there has this kind of configuration in > place, and working. Lots of people do exactly this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html