This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| radius_аутентификация_в_microsoft_ad [2013/10/09 12:51] val [Добавление RADIUS интерфейса к AD] | radius_аутентификация_в_microsoft_ad [2013/12/15 07:27] (current) val | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== RADIUS аутентификация в Microsoft AD ====== | ====== RADIUS аутентификация в Microsoft AD ====== | ||
| - | ===== Добавление RADIUS интерфейса к AD ===== | + | ===== Win2008 ===== | 
| - | ==== Win2008 ==== | + | ==== Установка и настройка ==== | 
| - | [[http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/]] | + | * Using Windows 2008 for RADIUS Authentification ([[http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/]]) | 
| - | **Server Manager -> | + | <code> | 
| + | Server Manager -> Roles -> | ||
| + | Add Roles -> Network Polices and Access Services -> Network Policy Server | ||
| + | Network Polices and Access Services -> NPS(local) -> Register server in Active Directory | ||
| + | Radius Clients and Servers -> new | ||
| + | ... | ||
| + | </code> | ||
| - | ==== Win2003 ==== | + | ==== Аутентификация Cisco login ==== | 
| - | **Add/Remove Programm -> Windows Components -> Networking services/Internet Authenticatin Service (IAS)** | + | <code> | 
| + | Server Manager -> Roles -> | ||
| + | Network Polices and Access Services -> NPS(local) -> | ||
| + | Polices -> Network Polices -> policy cisco admin -> Propeties | ||
| + | Constraints -> | ||
| + | Configure Authentifications Methods -> Unencrypted Authentificatios (PAP, SPAP) | ||
| + | Settings -> | ||
| + | Standart -> Service-Type = NAS-Prompt | ||
| + | </code> | ||
| - | **Add peer to IAS (intgate)** | + | ==== Авторизация Cisco exec ==== | 
| - | **Remote Access Polices -> Connection to other access server -> Properties -> Edit Profile -> Authentication** | + | * Configure a Custom VSA ([[http://technet.microsoft.com/en-us/library/cc731611.aspx]]) | 
| + | * Аутентификация на сетевых устройствах CISCO средствами Active Directory ([[http://habrahabr.ru/post/135419/]]) | ||
| - | **Check Unencrypted authentication (PAP, SPAP)** | ||
| - | |||
| - | **Permit DialIn for user user** | ||
| - | ===== Тестирование RADIUS интерфейса к AD ===== | ||
| <code> | <code> | ||
| - | gate# radtest user1 'Pa$$w0rd1' server 1 'testing123' | + | Server Manager -> Roles -> | 
| - | </code> | + | Network Polices and Access Services -> NPS(local) -> | 
| + | Polices -> Network Polices -> policy cisco admin -> Propeties | ||
| + | Constraints -> | ||
| + | Configure Authentifications Methods -> Unencrypted Authentificatios (PAP, SPAP) | ||
| + | Settings -> | ||
| + | Standart -> Service-Type = NAS-Prompt | ||
| + | Vendor Specific -> Cisco-AVPair = shell:priv-lvl=15 | ||
| + | </code>  | ||
| - | ===== Нестройка библиотеки pam radius для сервиса ssh ===== | + | ==== Аутентификация 802.1x (PEAP) ==== | 
| + | |||
| + | * При использовании PEAP в XSupplicant необходимо в поле "Other Identity" указать имя пользователя | ||
| - | ==== FreeBSD ==== | ||
| <code> | <code> | ||
| - | [gate:~] # cat /etc/radius.conf | + | Server Manager -> Roles -> | 
| - | auth server testing123 3 | + | Add Roles -> Active Directory Certificate Services | 
| + | ... Web Enrollment ... | ||
| - | [gate:~] # cat /etc/pam.d/system | + | Server Manager -> Roles -> | 
| - | ... | + | Network Polices and Access Services -> NPS(local) -> | 
| - | auth sufficient  pam_radius.so no_warn try_first_pass | + | Polices -> Network Polices -> new | 
| - | auth required  pam_unix.so  no_warn try_first_pass  | + | Plicy Name: policy 802.1x | 
| - | ... | + | Conditions: Windows Group -> Domain Users | 
| + | Configure Authentifications Methods -> Add -> Microsoft...(PEAP) | ||
| </code> | </code> | ||
| + |  | ||
| + | ===== Win2003 ===== | ||
| - | ==== Ubuntu ==== | ||
| <code> | <code> | ||
| - | root@gate:~# apt-get install libpam-radius-auth | + | Add/Remove Programm -> Windows Components -> Networking services/Internet Authenticatin Service (IAS) | 
| - | + | Add peer to IAS (intgate) | |
| - | root@gate:~# cat /etc/pam_radius_auth.conf | + | Remote Access Polices -> Connection to other access server -> Properties -> Edit Profile -> Authentication | 
| - | ... | + | Check Unencrypted authentication (PAP, SPAP) | 
| - | server testing123 3 | + | Permit DialIn for user user | 
| - | ... | + | |
| - | + | ||
| - | root@gate:~# cat /etc/pam.d/login | + | |
| - | ... | + | |
| - | auth sufficient  pam_radius_auth.so | + | |
| - | # Standard Un*x authentication. | + | |
| - | ... | + | |
| </code> | </code> | ||