User Tools

Site Tools


radius_аутентификация_в_microsoft_ad

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
radius_аутентификация_в_microsoft_ad [2013/10/09 16:20]
val [Ubuntu]
radius_аутентификация_в_microsoft_ad [2013/12/15 07:27] (current)
val
Line 1: Line 1:
 ====== RADIUS аутентификация в Microsoft AD ====== ====== RADIUS аутентификация в Microsoft AD ======
  
-===== Добавление RADIUS интерфейса к AD =====+===== Win2008 ​=====
  
-==== Win2008 ​====+==== Установка и настройка ​====
  
-[[http://​www.fatofthelan.com/​technical/​using-windows-2008-for-radius-authentication/​]]+  * Using Windows 2008 for RADIUS Authentification ([[http://​www.fatofthelan.com/​technical/​using-windows-2008-for-radius-authentication/​]])
  
 <​code>​ <​code>​
 Server Manager -> Roles ->  Server Manager -> Roles -> 
   Add Roles -> Network Polices and Access Services -> Network Policy Server   Add Roles -> Network Polices and Access Services -> Network Policy Server
-  Network Polices and Access Services -> NPS(local) ->  +  Network Polices and Access Services -> NPS(local) -> Register server in Active Directory
-    ​Register server in Active Directory+
     Radius Clients and Servers -> new     Radius Clients and Servers -> new
-    ​Polices -> Network Polices -> new +    ​...
-      Plicy Name: my policy +
-      Conditions: Windows Group -> Dimain Users +
-      Configure Authentifications Methods -> Unencrypted Authentificatios (PAP, SPAP)+
 </​code>​ </​code>​
-==== Win2003 ==== 
  
-  * Add/Remove Programm -> Windows Components -> Networking services/​Internet Authenticatin Service (IAS) +==== Аутентификация Cisco login ====
-  * Add peer to IAS (intgate) +
-  * Remote Access Polices -> Connection to other access server -> Properties -> Edit Profile -> Authentication +
-  * Check Unencrypted authentication (PAP, SPAP) +
-  * Permit DialIn for user user+
  
-===== Тестирование RADIUS интерфейса к AD ===== 
 <​code>​ <​code>​
-gate# radtest user1 '​Pa$$w0rd1'​ server 1 '​testing123'​+Server Manager -> Roles -> 
 +  Network Polices and Access Services -> NPS(local) ->  
 +    Polices -> Network Polices -> policy cisco admin -> Propeties 
 +      Constraints -> 
 +        Configure Authentifications Methods -> Unencrypted Authentificatios (PAP, SPAP) 
 +      Settings -> 
 +        Standart -> Service-Type = NAS-Prompt
 </​code>​ </​code>​
  
-===== Нестройка библиотеки ​pam radius для сервиса ssh =====+==== Авторизация Cisco exec ==== 
 + 
 +  * Configure a Custom VSA ([[http://​technet.microsoft.com/​en-us/​library/​cc731611.aspx]]) 
 +  * Аутентификация на сетевых устройствах CISCO средствами Active Directory ([[http://​habrahabr.ru/​post/​135419/​]])
  
-==== FreeBSD ==== 
 <​code>​ <​code>​
-[gate:~] # cat /​etc/​radius.conf +Server Manager -> Roles -> 
-</code><code+  ​Network Polices and Access Services -NPS(local) ->  
-auth server testing123 3 +    ​Polices -Network Polices -policy cisco admin -> Propeties 
-</code><code+      ​Constraints -> 
-[gate:~] # cat /​etc/​pam.d/​system +        ​Configure Authentifications Methods -Unencrypted Authentificatios (PAP, SPAP) 
-</​code><​code+      ​Settings -> 
-... +        ​Standart -> Service-Type = NAS-Prompt 
-auth    sufficient ​     pam_radius.so ​  ​no_warn try_first_pass +        ​Vendor Specific -> Cisco-AVPair = shell:​priv-lvl=15 
-auth    required ​       pam_unix.so ​    ​no_warn try_first_pass ​ +</​code> ​    
-... + 
-</​code>​ +==== Аутентификация 802.1x (PEAP) ​==== 
-==== Ubuntu ​====+ 
 +  * При использовании PEAP в XSupplicant необходимо в поле "Other Identity"​ указать имя пользователя 
 <​code>​ <​code>​
-root@gate:​~#​ apt-get install libpam-radius-auth+Server Manager ​-> Roles ->  
 +  Add Roles -> Active Directory Certificate Services 
 +   ... Web Enrollment ...
  
-root@gate:~# cat /​etc/​pam_radius_auth.conf +Server Manager -> Roles -> 
-</code><code> +  Network Polices and Access Services -> NPS(local) ->  
-server testing123 3 +    Polices -> Network Polices -> new 
-</​code><​code>​ +      Plicy Namepolicy 802.1x 
-root@gate:​~#​ cat /etc/pam.d/login +      ​Conditions:​ Windows Group -Domain Users 
-</code><code+      Configure Authentifications Methods -Add -> Microsoft...(PEAP) 
-... +</​code>​ 
-auth       ​sufficient ​  ​pam_radius_auth.so +       
-# Standard Un*x authentication. +===== Win2003 ===== 
-...+ 
 +<​code>​ 
 +Add/Remove Programm -> Windows Components -> Networking services/Internet Authenticatin Service (IAS) 
 +  Add peer to IAS (intgate) 
 +    Remote Access Polices -Connection to other access server -Properties -> Edit Profile -> Authentication 
 +    Check Unencrypted ​authentication ​(PAP, SPAP) 
 +    ​Permit DialIn for user user
 </​code>​ </​code>​
radius_аутентификация_в_microsoft_ad.1381321255.txt.gz · Last modified: 2013/10/09 16:20 by val