Radius vs LDAP for authentication

Last modified on 21 Nov, 2022. Revision 8
Explaining some of the differences between Radius and LDAP when used in user authentication in the firewall
Up to date for
cOS Core 14.00.06
Supported since
cOS Core 12.00.xx
Status OK
Author
Peter Nilsson

Question:

I have an Active Directory (AD) which I can also set up to act as a Radius server but is there a reason to do so compared to using LDAP directly? What are the pros and cons?

Answer:

Radius server:

A Radius server is quite easy to setup but it is not possible to retrieve groups from the AD. It is possible to make the Radius server send a list of user groups but this is then based on a static value defined in the Clavister VSA (Vendor-Specific-Attribute). Meaning that when a Radius query is sent from the Firewall to the Radius server, the Radius server will always reply with this VSA group string (assuming of course the login was successful). If we want different users to belong to different groups, it is possible to achieve this but it means we will need to do some more advanced configuration of the Radius server in order to make it send different VSA strings based on the user.

LDAP:

One of the main problems with LDAP is that it contains a vast amount of settings and parameters to configure. The big advantage is that group retrieval works better than Radius, as it will query the AD for the actual groups. The exception is the PRIMARY user group in the AD that will not be listed when the Firewall queries the group membership using LDAP.

Note: The “Primary group” is not considered to be a part of the normal groups list for a user, (e.g when querying the “MemberOf” attribute on a user). As a result, the group that is set as “Primary group” immediately leaves the “MemberOf” so the server is not sending it. A solution is to actually leave the default value, i.e. “Domain Users”, or create a new security group where all the domain users are included.



Related articles

Roaming IKEv2 tunnel setup in cOS Core with XCA CA and FreeRADIUS
10 Mar, 2023 core vpn ikev2 windows radius certificate
User Auth with Active Directory using cOS Core RADIUS/LDAP
24 Apr, 2023 core legacy activedirectory radius userauth
cOS Core LDAP auth issues with Microsoft AD servers
11 Apr, 2023 ldap core authentication radius
Configuring a Captive Portal in cOS Core
12 Apr, 2023 howto core authenticator authentication webauth captive
How to configure passwordless OneTouch authentication
24 Feb, 2021 easyaccess radius saml sso onetouch
Group membership in FreeRADIUS with cOS Core
6 Apr, 2023 core radius authentication
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy