User Tools

Site Tools


radius_аутентификация_в_microsoft_ad

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
radius_аутентификация_в_microsoft_ad [2013/10/09 15:50]
val [Win2008]
radius_аутентификация_в_microsoft_ad [2013/12/15 07:27] (current)
val
Line 1: Line 1:
 ====== RADIUS аутентификация в Microsoft AD ====== ====== RADIUS аутентификация в Microsoft AD ======
  
-===== Добавление RADIUS интерфейса к AD =====+===== Win2008 ​=====
  
-==== Win2008 ​====+==== Установка и настройка ​====
  
-[[http://​www.fatofthelan.com/​technical/​using-windows-2008-for-radius-authentication/​]]+  * Using Windows 2008 for RADIUS Authentification ([[http://​www.fatofthelan.com/​technical/​using-windows-2008-for-radius-authentication/​]])
  
 <​code>​ <​code>​
 Server Manager -> Roles ->  Server Manager -> Roles -> 
   Add Roles -> Network Polices and Access Services -> Network Policy Server   Add Roles -> Network Polices and Access Services -> Network Policy Server
-  Network Polices and Access Services -> NPS(local) ->  +  Network Polices and Access Services -> NPS(local) -> Register server in Active Directory
-    ​Register server in Active Directory+
     Radius Clients and Servers -> new     Radius Clients and Servers -> new
-    ​Polices -> Network Polices -> new +    ​...
-      Plicy Name: my policy +
-      Conditions: Windows Group -> Dimain Users +
-      Configure Authentifications Methods -> Unencrypted Authentificatios (PAP, SPAP)+
 </​code>​ </​code>​
-==== Win2003 ==== 
  
-  * Add/Remove Programm -> Windows Components -> Networking services/​Internet Authenticatin Service (IAS) +==== Аутентификация Cisco login ====
-  * Add peer to IAS (intgate) +
-  * Remote Access Polices -> Connection to other access server -> Properties -> Edit Profile -> Authentication +
-  * Check Unencrypted authentication (PAP, SPAP) +
-  * Permit DialIn for user user+
  
-===== Тестирование RADIUS интерфейса к AD ===== 
 <​code>​ <​code>​
-gate# radtest user1 '​Pa$$w0rd1'​ server 1 '​testing123'​+Server Manager -> Roles -> 
 +  Network Polices and Access Services -> NPS(local) ->  
 +    Polices -> Network Polices -> policy cisco admin -> Propeties 
 +      Constraints -> 
 +        Configure Authentifications Methods -> Unencrypted Authentificatios (PAP, SPAP) 
 +      Settings -> 
 +        Standart -> Service-Type = NAS-Prompt
 </​code>​ </​code>​
  
-===== Нестройка библиотеки ​pam radius для сервиса ssh =====+==== Авторизация Cisco exec ==== 
 + 
 +  * Configure a Custom VSA ([[http://​technet.microsoft.com/​en-us/​library/​cc731611.aspx]]) 
 +  * Аутентификация на сетевых устройствах CISCO средствами Active Directory ([[http://​habrahabr.ru/​post/​135419/​]])
  
-==== FreeBSD ==== 
 <​code>​ <​code>​
-[gate:~] # cat /​etc/​radius.conf +Server Manager -> Roles -> 
-auth server testing123 3+  Network Polices and Access Services -> NPS(local) ->  
 +    Polices -> Network Polices -> policy cisco admin -> Propeties 
 +      Constraints -> 
 +        Configure Authentifications Methods -> Unencrypted Authentificatios (PAP, SPAP) 
 +      Settings -> 
 +        Standart -> Service-Type = NAS-Prompt 
 +        Vendor Specific -> Cisco-AVPair = shell:priv-lvl=15 
 +</​code> ​   ​
  
-[gate:~] # cat /etc/pam.d/system +==== Аутентификация 802.1x (PEAP) ==== 
-... + 
-auth    sufficient ​     pam_radius.so ​  ​no_warn try_first_pass +  * При использовании PEAP в XSupplicant необходимо в поле "Other Identity"​ указать имя пользователя
-auth    required ​       pam_unix.so ​    ​no_warn try_first_pass  +
-... +
-</​code>​+
  
-==== Ubuntu ==== 
 <​code>​ <​code>​
-root@gate:​~#​ apt-get install libpam-radius-auth+Server Manager ​-> Roles ->  
 +  Add Roles -> Active Directory Certificate Services 
 +   ... Web Enrollment ...
  
-root@gate:~# cat /​etc/​pam_radius_auth.conf +Server Manager -> Roles -> 
-... +  Network Polices and Access Services -> NPS(local) ->  
-server testing123 3 +    Polices -> Network Polices -> new 
-...+      Plicy Namepolicy 802.1x 
 +      ​Conditions:​ Windows Group -> Domain Users 
 +      Configure Authentifications Methods -> Add -> Microsoft...(PEAP) 
 +</​code>​ 
 +       
 +===== Win2003 =====
  
-root@gate:​~#​ cat /etc/pam.d/login +<​code>​ 
-... +Add/Remove Programm -> Windows Components -> Networking services/Internet Authenticatin Service (IAS) 
-auth       ​sufficient ​  ​pam_radius_auth.so +  Add peer to IAS (intgate) 
-# Standard Un*x authentication. +    ​Remote Access Polices -> Connection to other access server -> Properties -> Edit Profile -> Authentication 
-...+    Check Unencrypted ​authentication ​(PAP, SPAP) 
 +    ​Permit DialIn for user user
 </​code>​ </​code>​
radius_аутентификация_в_microsoft_ad.1381319447.txt.gz · Last modified: 2013/10/09 15:50 by val