[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: [EXTERNAL] Re: FreeRadius and Active Directory and SSSD
From: "Winfield, Alister \(Senior Solutions Architect\) via Freeradius-Users" <freerad
Date: 2022-05-10 15:26:21
Message-ID: AS8PR06MB8243C57A3E050F9919583CD4E3C99 () AS8PR06MB8243 ! eurprd06 ! prod ! outlook ! com
[Download RAW message or body]
When asking can FreeRADIUS do something there is a simple way to look at it…
Simplified thinking process is (for Authentication):
Get an example of the RADIUS data arriving in the Authentication packets:
Using ONLY that information identify the ‘service' and thus get the required \
authentication attribute(s) (This might be delegated to something else, eg. SAMBA, \
depending upon the authentication mechanisms used) Using ONLY that information / \
service identity get the information to fill in response attributes. Build the policy \
that performs the lookups and constructs the reply.
99% of the time this just works in the 1% case there are protocol reasons that it \
doesn't (eg requiring the service / user directory to hold plain text passwords for \
certain authentication mechanisms)
Second one that often comes up ..If the question is really asking about what the \
RADIUS response can configure then stop looking at RADIUS and start reading the \
equipment vendors documentation. RADIUS just sends attributes and values to the \
equipment what the equipment does with those attributes is totally in the hands of \
that vendor. Here be dragons because there are many, many ways in which vendors \
interpret / misinterpret even very old well defined RADIUS attributes.
A.
From: Freeradius-Users \
<freeradius-users-bounces+alister.winfield=sky.uk@lists.freeradius.org> on behalf of \
White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users \
<freeradius-users@lists.freeradius.org>
Date: Tuesday, 10 May 2022 at 14:16
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Cc: White, Daniel E. (GSFC-770.0)[AEGIS] <daniel.e.white@nasa.gov>
Subject: [EXTERNAL] Re: FreeRadius and Active Directory and SSSD
Thanks.
Does the AD-LDAP connection provide AD groups to allow user "filtering" ?
On 5/10/22, 09:10, "Alan DeKok" <aland@deployingradius.com> wrote:
On May 10, 2022, at 8:56 AM, White, Daniel E. (GSFC-770.0)[AEGIS] via \
Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: >
> I am trying to replace a Cistron RADIUS service running on a dinosaur of a \
Sparc Solaris 9 server before it explodes.
Wow. CIstron was effectively dead 20 years ago.
> This RADIUS service is only used to access network devices (switches, routers, \
etc.)
Likely only PAP then. But you'll have to double-check the packets. Every \
piece of vendor equipment does something magical and special.
> We are moving to a centralized credentials setup with usernames/passwords in \
Active Directory. >
> We followed this document to connect RHEL servers.
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat. \
com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F8%2Fhtml%2Fintegrating_rhel_s \
ystems_directly_with_windows_active_directory%2Findex&data=05%7C01%7Calister.winfi \
eld%40sky.uk%7Cbc0aa155fb4d49b9f71d08da32874c50%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0 \
%7C0%7C637877853945240166%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi \
LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iI5xdUlmEKWUbQqbHCDCBkopE5nrObVS3mrqAmY33Tk%3D&reserved=0
>
> Now we need a new RADIUS service that uses the AD credentials.
Odds are that you can just use PAP, and connect to AD via LDAP. And also check \
admin group privileges!
if (LDAP-Group != "admin") {
reject
}
... else check passwords, etc.
Alan DeKok.
-
List info/subscribe/unsubscribe? See \
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2F \
list%2Fusers.html&data=05%7C01%7Calister.winfield%40sky.uk%7Cbc0aa155fb4d49b9f71d0 \
8da32874c50%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637877853945240166%7CUnknown% \
7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300 \
0%7C%7C%7C&sdata=jkdU2%2FDx4QH%2FWUCvviIYLRWzSvuskifCqFuIWzc0YTg%3D&reserved=0
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links \
from an unknown or suspicious origin. Phishing attempts can be reported by using the \
report message button in Outlook or sending them as an attachment to phishing@sky.uk. \
Thank you
--------------------------------------------------------------------
Information in this email including any attachments may be privileged, confidential \
and is intended exclusively for the addressee. The views expressed may not be \
official policy, but the personal views of the originator. If you have received it in \
error, please notify the sender by return e-mail and delete it from your system. You \
should not reproduce, distribute, store, retransmit, use or disclose its contents to \
anyone. Please note we reserve the right to monitor all e-mail communication through \
our internal and external networks. SKY and the SKY marks are trademarks of Sky \
Limited and Sky International AG and are used under licence.
Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration \
No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP \
Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited \
(Registration No. 2247735). All of the companies mentioned in this paragraph are \
incorporated in England and Wales and share the same registered office at Grant Way, \
Isleworth, Middlesex TW7 5QD
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic