Implementation with AD integration on RHEL7

classic Classic list List threaded Threaded
3 messages Options
M S
| Threaded
Open this post in threaded view
|

Implementation with AD integration on RHEL7

M S
Hi all,

Please pardon my newb-ness. I am new to RADIUS and FreeRADIUS.

How would you guys advise setting up FreeRADIUS to utilize Active Directory on RHEL7?

My goal is to provide centralized authentication for our network switches.

The RHEL7 host system that will be hosting FreeRADIUS is setup to directly authenticate users logging into it against our AD server using sssd. I was thinking that rather than setting up a separate AD relationship between FreeRADIUS and AD, would it be possible to have FreeRADIUS utilize the OS-level relationship that is setup with AD via sssd? I am not finding much online describing this setup.

Setup:
Red Hat Enterprise Linux Server release 7.6 (Maipo)
FreeRADIUS 3.0.13-9 (the version available in RHEL7 repos)

Thanks,
MS

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Implementation with AD integration on RHEL7

Alan DeKok-2
On Dec 6, 2018, at 3:06 PM, M S <[hidden email]> wrote:
>
> Please pardon my newb-ness. I am new to RADIUS and FreeRADIUS.

  Despite rumors to the contrary, that's fine.

> How would you guys advise setting up FreeRADIUS to utilize Active Directory on RHEL7?

  Read the guide on my web site:

http://deployingradius.com/

> My goal is to provide centralized authentication for our network switches.
>
> The RHEL7 host system that will be hosting FreeRADIUS is setup to directly authenticate users logging into it against our AD server using sssd. I was thinking that rather than setting up a separate AD relationship between FreeRADIUS and AD, would it be possible to have FreeRADIUS utilize the OS-level relationship that is setup with AD via sssd? I am not finding much online describing this setup.

  I don't think so.  At least, it's not possible for MS-CHAP or PEAP.  For normal User-Password authentication it might work.

> Setup:
> Red Hat Enterprise Linux Server release 7.6 (Maipo)
> FreeRADIUS 3.0.13-9 (the version available in RHEL7 repos)

  You probably want to upgrade to 3.0.17...

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Implementation with AD integration on RHEL7

Matthew Newton-3
In reply to this post by M S
On Thu, 2018-12-06 at 12:06 -0800, M S wrote:
> My goal is to provide centralized authentication for our network
> switches.

You need to find out how they send the auth to FreeRADIUS. Likely PAP,
but might not be. PAP or MSCHAPv2 should be workable. Anything else,
unlikely.

> The RHEL7 host system that will be hosting FreeRADIUS is setup to
> directly authenticate users logging into it against our AD server
> using sssd. I was thinking that rather than setting up a separate AD
> relationship between FreeRADIUS and AD, would it be possible to have
> FreeRADIUS utilize the OS-level relationship that is setup with AD
> via sssd? I am not finding much online describing this setup.

I guess sssd gets its information via LDAP? You're may as well just
configure FreeRADIUS to use LDAP directly, rather than to try and get
it to talk to the OS and do it that way.

But if the switches don't do PAP, then you're probably stuck anyway. AD
won't give you any sort of password to check.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html