Difference between revisions of "Freeradius AD LDAP Authentication"
From falz.net
(Created page with "Category:Unix Category:Network FreeRadius2 LDAP auth to Win2k12 AD for Cisco/Juniper login authentication. * Have an existing AD. Create a few groups for read-write...") |
|||
| Line 52: | Line 52: | ||
update reply { | update reply { | ||
cisco-avpair = "shell:priv-lvl=1", | cisco-avpair = "shell:priv-lvl=1", | ||
| − | + | Juniper-Local-User-Name = "op" | |
| − | |||
} | } | ||
} | } | ||
else { | else { | ||
reject | reject | ||
| + | } | ||
| + | |||
| + | * Not going into detail of your router configs, but they will have to be configured to point to your RADIUS server. On the Juniper side the "op" and "superuser" referenced above will have to map to some classes and users: | ||
| + | |||
| + | system { | ||
| + | login { | ||
| + | class super-user-local { | ||
| + | permissions all; | ||
| + | } | ||
| + | class operator-local { | ||
| + | permissions [ clear network reset trace view ]; | ||
| + | } | ||
| + | user superuser { | ||
| + | uid 2000; | ||
| + | class super-user-local; | ||
| + | } | ||
| + | user op { | ||
| + | uid 2001; | ||
| + | class operator-local; | ||
| + | } | ||
| + | } | ||
} | } | ||
Revision as of 14:31, 7 March 2017
FreeRadius2 LDAP auth to Win2k12 AD for Cisco/Juniper login authentication.
- Have an existing AD. Create a few groups for read-write or read-only access. Let's use:
- network-operators: router login permitted, read only
- network-administrators: full admin/config access
- Install freeradius packages on your centos-ey server:
- yum install freeradius freeradius-ldap
- Create an AD user for freeradius application to bind to LDAP. Let's call it 'freeradius'.
- /etc/raddb/modules/ldap:
ldap {
server = "ad.yourcompany.com"
port = 389
start_tls = yes
identity = "CN=freeradius,OU=Applications,DC=ad,DC=yourcompany,DC=com"
password = password_goes_here
basedn = "DC=ad,DC=yourcompany,DC=com"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
edir_account_policy_check=no
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
chase_referrals = yes
rebind = yes
}
- Modifications to sites-enabled/default:
- In the authorize {} section:
- uncomment 'ldap'
- comment 'files' (which refers to the users plain text file)
- In the authenticate {} section, uncomment:
- In the authorize {} section:
Auth-Type LDAP {
ldap
}
- in the post-auth {} section add this section to do LDAP group to radius reply item mapping:
if (LDAP-Group == "network-administrators") {
update reply {
cisco-avpair = "shell:priv-lvl=15",
Juniper-Local-User-Name = "superuser"
}
}
elsif (LDAP-Group == "network-operators") {
update reply {
cisco-avpair = "shell:priv-lvl=1",
Juniper-Local-User-Name = "op"
}
}
else {
reject
}
- Not going into detail of your router configs, but they will have to be configured to point to your RADIUS server. On the Juniper side the "op" and "superuser" referenced above will have to map to some classes and users:
system {
login {
class super-user-local {
permissions all;
}
class operator-local {
permissions [ clear network reset trace view ];
}
user superuser {
uid 2000;
class super-user-local;
}
user op {
uid 2001;
class operator-local;
}
}
}