Radius VS LDAP

Frequently Asked Questions
Post Reply
Peter
Posts: 668
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Radius VS LDAP

Post by Peter » 04 Sep 2019, 11:54

This FAQ applies to:
  • Any cOS Core version that has support for LDAP & Radius

Question:
I have an Active Directory (AD) which I can also setup to act as a Radius server but is there a reason to do so compared to using LDAP directly? What are the pro's and con's?

Answer:

Radius server:
A Radius server is quite easy to setup but it is not possible to retrieve groups from the AD. It is possible to make the Radius server send a list of user groups but this is then based on a static value defined in the Clavister VSA (Vendor-Specific-Attribute). Meaning that when a Radius query is sent from the Firewall to the Radius server, the Radius server will always reply with this VSA group string (assuming of course the login was successful). If we want different users to belong to different groups, it is possible to achieve but it means you need to do some more advanced configuration of the Radius server in order to make it send different VSA strings based on the user.

LDAP:
One of the main problems with LDAP is that it contains a vast amount of settings and parameters to configure. The big advantage is that group retrieval works better than with the above mentioned Radius as it will query the AD for the actual groups. The exception is the PRIMARY user group in the AD that will not be listed when the Firewall queries the group membership using LDAP.

Note: The "Primary group" is not considered a part of the normal groups list for a user, (e.g when querying the "MemberOf" attribute on a user). As a result the group that is set as "Primary group" immediately leaves the "MemberOf" so the server is not sending it. The proposed solution is to actually leave the default value i.e. "Domain Users" or create a new security group where all the domain users are included.

Post Reply