'Re: MIgrating ACS to Freeradius'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: MIgrating ACS to Freeradius
From:       Arran Cudbard-Bell <a.cudbardb () freeradius ! org>
Date:       2013-11-20 17:01:26
Message-ID: F8EEC250-4752-4426-98D9-41B9178ADF1D () freeradius ! org
[Download RAW message or body]


On 20 Nov 2013, at 16:23, Zafar Pravaiz <zpravaiz@aus.edu> wrote:

> Dear Community,
> 
> I am in process to replace our Cisco ACS to Freeradius for our wireless \
> authentication and trying to achieve same functionality as ACS. Here is what i \
> need. 
> 1. It should authenticate against AD.
> 2. User should be checked in specific group in AD and have specific \
> Called-Station-id ( If Users in AD group == Students and Called-Station-ID== *SSID \
> then Accept-Accept).

Or should be in a particular group and should be logging in from a specific SSID... \
Yes you can do that. See man unlang, and the LDAP-Group attribute.

There's already a stock policy called 'rewrite_called_station_id' which splits out \
the SSID. It's really as simple as:

server inner {
	authorize {
		rewrite_called_station_id
		ldap
		if ((LDAP-Group == Students) && (Called-Station-ID == 'student_ssid')) {
			update reply {
				Reply-Message := "Hello student!"
			}
		} else {
			reject
		}
	}
}

The complexity of dealing with the different representations of groups, and using the \
libldap API is all dealt with for you, if you put the correct values in the LDAP \
config, it just works.

> 3. There is should be multiple policy for various condition match like above.

man unlang

> 4. Default should be Reject.

man unlang

> 5. All user auth (pass/fail) should be logged in file/syslog with rejection reason.

See the linelog module.

> I have achieve only 1st point. 
> 
> Any one has done same ? is it possible in Freeradius? can someone point me to right \
> direction or share config. 

Look, this is pretty basic stuff, there's tons of documentation on the net around \
LDAP groups in FreeRADIUS.

The rest is site specific policies which you need to write. No one elses config will \
do what you want.

The reason we have the policy language in FreeRADIUS is because there's no way we \
could write C modules to cover all the different deployment scenarios.

The C modules that do exist are there to allow integration with systems it would be \
too cumbersome to expose via the simple policy language.

-Arran

Arran Cudbard-Bell <a.cudbardb@freeradius.org>
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic