Actions

Freeradius AD LDAP Authentication: Difference between revisions

From falz.net

No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:
[[Category:Network]]
[[Category:Network]]


FreeRadius2 LDAP auth to Win2k12 AD for Cisco/Juniper login authentication.
FreeRadius2 LDAP auth to Win2k12 AD for Cisco/Juniper login authentication. Router roles will be mapped to AD groups.


== AD Configuration==
* Have an existing AD. Create a few groups for read-write or read-only access. Let's use:
* Have an existing AD. Create a few groups for read-write or read-only access. Let's use:
** network-operators: router login permitted, read only
** network-operators: router login permitted, read only
** network-administrators: full admin/config access
** network-administrators: full admin/config access


* Create an AD user for freeradius application to bind to LDAP. Let's call it 'freeradius'. Maybe you don't want the password to expire as well.
== FreeRadius / Centos Config ==
* Install freeradius packages on your centos-ey server:
* Install freeradius packages on your centos-ey server:
** yum install freeradius freeradius-ldap
yum install freeradius freeradius-ldap
 
* Create an AD user for freeradius application to bind to LDAP. Let's call it 'freeradius'.


* /etc/raddb/modules/ldap:
* /etc/raddb/modules/ldap:
Line 59: Line 62:
  }
  }


* Not going into detail of your router configs, but they will have to be configured to point to your RADIUS server. On the Juniper side the "op" and "superuser" referenced above will have to map to some classes and users:
== Router Config ==
Not going into detail of your router configs, but they will have to be configured to point to your RADIUS server.  
 
On the Juniper side the "op" and "superuser" referenced above will have to map to some classes and users:


  system {
  system {

Latest revision as of 14:21, 27 January 2018


FreeRadius2 LDAP auth to Win2k12 AD for Cisco/Juniper login authentication. Router roles will be mapped to AD groups.

AD Configuration

  • Have an existing AD. Create a few groups for read-write or read-only access. Let's use:
    • network-operators: router login permitted, read only
    • network-administrators: full admin/config access
  • Create an AD user for freeradius application to bind to LDAP. Let's call it 'freeradius'. Maybe you don't want the password to expire as well.


FreeRadius / Centos Config

  • Install freeradius packages on your centos-ey server:
yum install freeradius freeradius-ldap
  • /etc/raddb/modules/ldap:
ldap {
	server = "ad.yourcompany.com"
	port = 389
	start_tls = yes
	identity = "CN=freeradius,OU=Applications,DC=ad,DC=yourcompany,DC=com"
	password = password_goes_here
	basedn = "DC=ad,DC=yourcompany,DC=com"
	filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
	groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
	groupmembership_attribute = memberOf
	edir_account_policy_check=no
	ldap_connections_number = 5
	timeout = 4
	timelimit = 3
	net_timeout = 1
	chase_referrals = yes
	rebind = yes
}
  • Modifications to sites-enabled/default:
    • In the authorize {} section:
      • uncomment 'ldap'
      • comment 'files' (which refers to the users plain text file)
    • In the authenticate {} section, uncomment:
Auth-Type LDAP {
    ldap
}
  • in the post-auth {} section add this section to do LDAP group to radius reply item mapping:
if (LDAP-Group == "network-administrators") {
	update reply {
		cisco-avpair = "shell:priv-lvl=15",
		Juniper-Local-User-Name = "superuser"
	}
}
elsif (LDAP-Group == "network-operators") {
	update reply {
		cisco-avpair = "shell:priv-lvl=1",
		Juniper-Local-User-Name = "op"
	}
}
else {
	reject
}

Router Config

Not going into detail of your router configs, but they will have to be configured to point to your RADIUS server.

On the Juniper side the "op" and "superuser" referenced above will have to map to some classes and users:

system {
    login {
        class super-user-local {
            permissions all;
        }
        class operator-local {
            permissions [ clear network reset trace view ];
        }
        user superuser {
            uid 2000;
            class super-user-local;
        }
        user op {
            uid 2001;
            class operator-local;
        }
    }
}