[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Initial design question
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2021-06-30 13:14:01
Message-ID: BBE60A3E-EF11-433A-90F4-62A706B8036F () deployingradius ! com
[Download RAW message or body]

On Jun 30, 2021, at 8:54 AM, Jure Simšič via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:
> I'm trying to configure radius for an edu organisation that has the following \
> needs: 
> a1. staff wifi (edu employees)
> a2. eduroam wifi
> a3. network devices auth for admins
> a4. eth 802.1X auth in future
> 
> There are a couple of backends I need to authenticate to:
> 
> b1. staff is in MS AD - staffAD
> b2. students have another AD not part of same AD domain, I need to auth them \
> separately - studAD

  That makes it a bit more difficult, but not impossible.

> b3. visiting students/lecturers get their auth via eduroam delegation to their home \
> organisations 
> Additionally I have special needs for a3 that apart from the u/p I need to check if \
> they are members of a particular group. 
> I've already set up the basics for b1 via winbind and it seems to be working via \
> radtest. What I've managed to read in the various docs is that I can only \
> authenticate to one AD via AD membership / winbind and also if I want to check \
> group membership it has to be done via LDAP (can do it via ldapsearch). 

  Yes.

  You likely need to install two versions of Samba, as Samba can only join on AD \
domain at a time.

> So I have a couple of questions on what is the correct way to set up all this:
> 
> 1. should I make a separate server instance in sites-available for b1-3 (or even \
> two for b1 if I need to do a separate LDAP auth for a3) and put each one on a \
> separate port? 

  TBH, for b1 and b2, I would just create two VMs, one for each system.  That way you \
can create a "base" VM with FreeRADIUS, Samba, etc.  You can then customize this VM \
with individual rules for each AD domain, and for each set of users.

> 2. how to deal with eduroam wifi - a user can be from several realms - 1) @edu auth \
> b1, 2) @student.edu auth b2, @anything_else delegate. Where should this actually be \
> done? In a server configuration or in proxy.conf or where? 

  In proxy.conf.  There's documentation for Eduroam on http://wiki.freeradius.org

> 3. I've already started editing files in mods-available (namely ldap) but it feels \
> wrong to do it there on the master files.

  It's fine.  That's what revision control is for.  Use "git" to track changes to the \
files, and any problem you run into will be simple to solve:  just revert the \
configuration to a "known working" version.

  Plus, if you use "git", it's easy to put the configuration into one machine, and \
then "git clone" it to others.

> Should I make a copy for each LDAP server in mods and reference it somewhere or how \
> do I make separate copies for different backends and ldap filters.. And how&where \
> do I call the correct module for different ldap backends?

  If you use multiple VMs, you just have one LDAP module for each VM.

> So am I correct in the assumption that I will need the following servers:
> 1. one winbind for a1 and a2 @edu realm that authenticate to b1
> 2. one ldap for a2 for @student.edu to b2
> 3. one ldap for a3 (and a4) to b1
> 4. one forwarder/proxy for a2 for @other
> 
> Thanks a lot for any pointers. I'm starting to get the feeling if I don't do this \
> the proper way from the start I'm going to get entangled in a messy knot rather \
> soon..

  Welcome to RADIUS.  :(  It's horribly complex, because people want to do horribly \
complex things.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]