On 30/07/14 12:38, David Rickard wrote:
> Hi,
>
> Thanks for the reply.
>
> So what you're saying is basically is our ORPS box needs to/can do
> the AD authentication bit itself? I suppose that makes sense really,
> because why bother bouncing it off of ISE if it doesn't need to. I
> had always envisioned sending *everything* back to ISE, come what
> may. I suppose I can do that (means a lot less config on the ORPS),
> but then why bother overall. Also it'd probably lighten the load on
> licences.
>
> Something to ponder there.
As you observe, you can take two approaches with FreeRADIUS as ORPS -
auth directly to AD locally (via a Samba domain membership), or proxy to
another local RADIUS server.
The former is probably more common and gives you the full power of
FreeRADIUS, at the cost of having to do the full work of setting it up.
Some people do the latter. There are various reasons - sometimes people
find they can't get Samba to be reliable, and choose to proxy to MS NPS
or similar. There are other reasons.
Couple of points to bear in mind:
1. Certificates. If your clients trust certs which are locked away
inside ISE, you might not be able to extract them and put them onto
FreeRADIUS.
2. Licensing. A while back, someone on this list (I think) ran into
problems with ISE refusing to auth eduroam IdP (i.e. acting as home
site) requests based on the value of NAS-Port-Type and their licence
type, IIRC. Might want to look into that.
Cheers,
Phil
|