Implementation with AD integration on RHEL7

Discussion:

M S

2018-12-06 20:06:03 UTC

Hi all,

Please pardon my newb-ness. I am new to RADIUS and FreeRADIUS.

How would you guys advise setting up FreeRADIUS to utilize Active Directory on RHEL7?

My goal is to provide centralized authentication for our network switches.

The RHEL7 host system that will be hosting FreeRADIUS is setup to directly authenticate users logging into it against our AD server using sssd. I was thinking that rather than setting up a separate AD relationship between FreeRADIUS and AD, would it be possible to have FreeRADIUS utilize the OS-level relationship that is setup with AD via sssd? I am not finding much online describing this setup.

Setup:
Red Hat Enterprise Linux Server release 7.6 (Maipo)
FreeRADIUS 3.0.13-9 (the version available in RHEL7 repos)

Thanks,
MS

-
List info/subscribe/unsubscri

Alan DeKok

2018-12-06 22:08:01 UTC

Permalink

Post by M S
Please pardon my newb-ness. I am new to RADIUS and FreeRADIUS.

Despite rumors to the contrary, that's fine.

Post by M S
How would you guys advise setting up FreeRADIUS to utilize Active Directory on RHEL7?

Read the guide on my web site:

http://deployingradius.com/

Post by M S
My goal is to provide centralized authentication for our network switches.
The RHEL7 host system that will be hosting FreeRADIUS is setup to directly authenticate users logging into it against our AD server using sssd. I was thinking that rather than setting up a separate AD relationship between FreeRADIUS and AD, would it be possible to have FreeRADIUS utilize the OS-level relationship that is setup with AD via sssd? I am not finding much online describing this setup.

I don't think so. At least, it's not possible for MS-CHAP or PEAP. For normal User-Password authentication it might work.

Post by M S
Red Hat Enterprise Linux Server release 7.6 (Maipo)
FreeRADIUS 3.0.13-9 (the version available in RHEL7 repos)

You probably want to upgrade to 3.0.17...

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users

Matthew Newton

2018-12-06 22:13:39 UTC

Permalink

Post by M S
My goal is to provide centralized authentication for our network switches.

You need to find out how they send the auth to FreeRADIUS. Likely PAP,
but might not be. PAP or MSCHAPv2 should be workable. Anything else,
unlikely.

Post by M S
The RHEL7 host system that will be hosting FreeRADIUS is setup to
directly authenticate users logging into it against our AD server
using sssd. I was thinking that rather than setting up a separate AD
relationship between FreeRADIUS and AD, would it be possible to have
FreeRADIUS utilize the OS-level relationship that is setup with AD
via sssd? I am not finding much online describing this setup.

I guess sssd gets its information via LDAP? You're may as well just
configure FreeRADIUS to use LDAP directly, rather than to try and get
it to talk to the OS and do it that way.

But if the switches don't do PAP, then you're probably stuck anyway. AD
won't give you any sort of password to check.

--
Matthew

-
List info/subscribe/uns