Radius vs LDAP for authenticationLast modified on 21 Nov, 2022. Revision 8
|Up to date for||
cOS Core 14.00.06
cOS Core 12.00.xx
I have an Active Directory (AD) which I can also set up to act as a Radius server but is there a reason to do so compared to using LDAP directly? What are the pros and cons?
A Radius server is quite easy to setup but it is not possible to retrieve groups from the AD. It is possible to make the Radius server send a list of user groups but this is then based on a static value defined in the Clavister VSA (Vendor-Specific-Attribute). Meaning that when a Radius query is sent from the Firewall to the Radius server, the Radius server will always reply with this VSA group string (assuming of course the login was successful). If we want different users to belong to different groups, it is possible to achieve this but it means we will need to do some more advanced configuration of the Radius server in order to make it send different VSA strings based on the user.
One of the main problems with LDAP is that it contains a vast amount of settings and parameters to configure. The big advantage is that group retrieval works better than Radius, as it will query the AD for the actual groups. The exception is the PRIMARY user group in the AD that will not be listed when the Firewall queries the group membership using LDAP.
Note: The “Primary group” is not considered to be a part of the normal groups list for a user, (e.g when querying the “MemberOf” attribute on a user). As a result, the group that is set as “Primary group” immediately leaves the “MemberOf” so the server is not sending it. A solution is to actually leave the default value, i.e. “Domain Users”, or create a new security group where all the domain users are included.
21 Jan, 2021 easyaccess radius
24 Feb, 2021 easyaccess radius
25 May, 2022 howto core authenticator authentication webauth captive
24 Feb, 2021 easyaccess radius saml sso onetouch