Question:
I have an Active Directory (AD) which I can also set up to act as a Radius server but is there a reason to do so compared to using LDAP directly? What are the pros and cons?
Answer:
Radius server:
A Radius server is quite easy to setup but it is not possible to retrieve groups from the AD. It is possible to make the Radius server send a list of user groups but this is then based on a static value defined in the Clavister VSA (Vendor-Specific-Attribute). Meaning that when a Radius query is sent from the Firewall to the Radius server, the Radius server will always reply with this VSA group string (assuming of course the login was successful). If we want different users to belong to different groups, it is possible to achieve this but it means we will need to do some more advanced configuration of the Radius server in order to make it send different VSA strings based on the user.
LDAP:
One of the main problems with LDAP is that it contains a vast amount of settings and parameters to configure. The big advantage is that group retrieval works better than Radius, as it will query the AD for the actual groups. The exception is the PRIMARY user group in the AD that will not be listed when the Firewall queries the group membership using LDAP.
Note: The “Primary group” is not considered to be a part of the normal groups list for a user, (e.g when querying the “MemberOf” attribute on a user). As a result, the group that is set as “Primary group” immediately leaves the “MemberOf” so the server is not sending it. A solution is to actually leave the default value, i.e. “Domain Users”, or create a new security group where all the domain users are included.
Related articles
10 Mar, 2023 core vpn ikev2 windows radius certificate
24 Apr, 2023 core legacy activedirectory radius userauth
11 Apr, 2023 ldap core authentication radius
21 Jan, 2021 easyaccess radius
24 Feb, 2021 easyaccess radius
12 Apr, 2023 howto core authenticator authentication webauth captive
4 Nov, 2024 oidc core authentication
24 Feb, 2021 easyaccess radius saml sso onetouch
9 Oct, 2024 oneconnect sase cloud radius
6 Apr, 2023 core radius authentication
5 Apr, 2023 core nps ipsec radius legacy