Hi,
It sounds like letting ISE do the authentication work might be simplest. Otherwise we've got to get two boxes in the DMZ talking AD via Samba, which sounds like far more work than it's worth. We've been planning to do that all along, so I think we'll continue with that, for now.
Regards
--
David Rickard
Systems Manager
IT - Core Systems Team
Buckinghamshire New University
High Wycombe Campus
Queen Alexandra Road
High Wycombe
Buckinghamshire HP11 2JZ
Telephone: 01494 601 649
Facsimile: 01494 524 392
Main Switchboard: 01494 522 141, ext. 1649
bucks.ac.uk
-----Original Message-----
From: Phil Mayers [mailto:[log in to unmask]]
Sent: 30 July 2014 12:50
To: David Rickard; [log in to unmask]
Subject: Re: Organisational Proxy Setup
On 30/07/14 12:38, David Rickard wrote:
> Hi,
>
> Thanks for the reply.
>
> So what you're saying is basically is our ORPS box needs to/can do the
> AD authentication bit itself? I suppose that makes sense really,
> because why bother bouncing it off of ISE if it doesn't need to. I had
> always envisioned sending *everything* back to ISE, come what may. I
> suppose I can do that (means a lot less config on the ORPS), but then
> why bother overall. Also it'd probably lighten the load on licences.
>
> Something to ponder there.
As you observe, you can take two approaches with FreeRADIUS as ORPS - auth directly to AD locally (via a Samba domain membership), or proxy to another local RADIUS server.
The former is probably more common and gives you the full power of FreeRADIUS, at the cost of having to do the full work of setting it up.
Some people do the latter. There are various reasons - sometimes people find they can't get Samba to be reliable, and choose to proxy to MS NPS or similar. There are other reasons.
Couple of points to bear in mind:
1. Certificates. If your clients trust certs which are locked away inside ISE, you might not be able to extract them and put them onto FreeRADIUS.
2. Licensing. A while back, someone on this list (I think) ran into problems with ISE refusing to auth eduroam IdP (i.e. acting as home
site) requests based on the value of NAS-Port-Type and their licence type, IIRC. Might want to look into that.
Cheers,
Phil
|