Setup FreeRadius + ldap + single sign-on

你。 提交于 2019-12-11 04:52:31

问题


Am trying to configure Single sign-on using FreeRadius.

Scenario: I have a fully configured LDAP (389 DS) Version-2.1 with few users and groups (in CentOS6). I have installed FreeRadius (latest stable version) (in CentOS 6). Configured FreeRadius to listen the above LDAP server.

I have made a client system (CentOS6) as radius client using pam_radius module. Now, am able to login to NAS with the LDAP credentials and getting logs correctly in FreeRadius.

Now, I want to implement single sign-on in this setup since I want to added some other devices like Firewall(Sonicwall) to authenticate.

I couldn't find any good docs to configure this.

Can someone please suggest me how to configure Single sign-on in the above setup?


回答1:


For firewalls most people just use the accounting data to start and stop sessions as appropriate. This is usually triggering a script from within the accounting {} section of the freeradius server, creating the session on Acct-Status-Type == Start and destroying it on Acct-Status-Type == Stop.

If the PAM module sends Interim-Updates, you can record those in a database, and also set a 'lastupdated' timestamp. You then have a cronjob to check for rows where NOW() - lastupdated > (interim-interval * 2), and for those rows, delete the session on the firewall and close out the session in the database.

There is no proper SSO mechanism I know of which runs purely over RADIUS, the Project Moonshot guys were trying to get something working with SAML and a special EAP method, but it's probably too complex for what you want here, and not supported by PAM anyway.



来源:https://stackoverflow.com/questions/23474793/setup-freeradius-ldap-single-sign-on

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!