Header Only - DO NOT REMOVE - Extreme Networks

How to configure NAC as RADIUS to authorize AD users


Userlevel 4
Hello, everybody,

please, give me a link to some manuals.

I want to use one of two existing NAC installations as RADIUS to authorize AD users for an external system (Fortigate FG-600 firewall).

So, the questions are:

1) How to configure NAC to send authorization requests to AD domain controllers?
2) How to configure NAC be RADIUS server

Many thanks in advance,
Ilya

7 replies

Userlevel 4
Hello,

NAC is a RADIUS server but default.
To leverage AD you can proxy RADIUS to an NPS server or you can setup NAC to use LDAP/NTLM Authentication and authenticate users directly to AD (with no proxy to NPS).

Which are you looking to do?

You can see topics on this via the "Help" in NetSight or via our website where you download NAC/NetSight software.

*Note that Fortinet is not a supported Firewall if you are looking to authenticate VPN users through NAC...we only support Cisco ASA, Juniper SA, and Enterasys XSR. This information is in the Release Notes. You can likely use NAC for mgmt access to the Fortinet, however.

Regards,

Scott Keene
NMS/NAC Support
Extreme GTAC
Userlevel 4
Keene, Scott wrote:

Hello,

NAC is a RADIUS server but default.
To leverage AD you can proxy RADIUS to an NPS server or you can setup NAC to use LDAP/NTLM Authentication and authenticate users directly to AD (with no proxy to NPS).

Which are you looking to do?

You can see topics on this via the "Help" in NetSight or via our website where you download NAC/NetSight software.

*Note that Fortinet is not a supported Firewall if you are looking to authenticate VPN users through NAC...we only support Cisco ASA, Juniper SA, and Enterasys XSR. This information is in the Release Notes. You can likely use NAC for mgmt access to the Fortinet, however.

Regards,

Scott Keene
NMS/NAC Support
Extreme GTAC

Hi, Scott,

thanks for your reply.

Could you please explain what is a difference between proxying RADIUS requests to NPS and authenticate users directly to AD? What is an easiest way?

I do not need to authenticate VPN users, just wired and wifi users to allow them Internet access.

Thank you very much!
Userlevel 5
Hello Ilya,

simplified the difference between proxying Radius to NPS and authenticate locally is the following.

If you use proxy all auth request are forwarded to the NPS and the NPS make the decision who comes in and what information's (e. g. radios attributes) are sent back to the client. But NAC can overwrite the information sent back to the client if needed!

If you use NAC as Radius, NAC make the decision who comes in and sent back all radius attributes for authorization. But the NAC can ask a directory like AD to do the correct decision.

Here are a lot of good informations how you can use NAC as Radius and ask the AD for more information.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-compu...

In my opinion you are more flexible if you do the authentication and authorization direct on the NAC and you have not to ask a Windows Server admin for support.

But there are situation the proxy solution is more beneficial.

Best regards
Stephan
Userlevel 4
SH wrote:

Hello Ilya,

simplified the difference between proxying Radius to NPS and authenticate locally is the following.

If you use proxy all auth request are forwarded to the NPS and the NPS make the decision who comes in and what information's (e. g. radios attributes) are sent back to the client. But NAC can overwrite the information sent back to the client if needed!

If you use NAC as Radius, NAC make the decision who comes in and sent back all radius attributes for authorization. But the NAC can ask a directory like AD to do the correct decision.

Here are a lot of good informations how you can use NAC as Radius and ask the AD for more information.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-compu...

In my opinion you are more flexible if you do the authentication and authorization direct on the NAC and you have not to ask a Windows Server admin for support.

But there are situation the proxy solution is more beneficial.

Best regards
Stephan

Hi, Stephan,

thank you...

Unfortunately, the article is unavaiable...

Userlevel 5
SH wrote:

Hello Ilya,

simplified the difference between proxying Radius to NPS and authenticate locally is the following.

If you use proxy all auth request are forwarded to the NPS and the NPS make the decision who comes in and what information's (e. g. radios attributes) are sent back to the client. But NAC can overwrite the information sent back to the client if needed!

If you use NAC as Radius, NAC make the decision who comes in and sent back all radius attributes for authorization. But the NAC can ask a directory like AD to do the correct decision.

Here are a lot of good informations how you can use NAC as Radius and ask the AD for more information.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-compu...

In my opinion you are more flexible if you do the authentication and authorization direct on the NAC and you have not to ask a Windows Server admin for support.

But there are situation the proxy solution is more beneficial.

Best regards
Stephan

Hi,

I tested the link again with (different) devices some minutes ago. It works. Please test again.
Userlevel 6
SH wrote:

Hello Ilya,

simplified the difference between proxying Radius to NPS and authenticate locally is the following.

If you use proxy all auth request are forwarded to the NPS and the NPS make the decision who comes in and what information's (e. g. radios attributes) are sent back to the client. But NAC can overwrite the information sent back to the client if needed!

If you use NAC as Radius, NAC make the decision who comes in and sent back all radius attributes for authorization. But the NAC can ask a directory like AD to do the correct decision.

Here are a lot of good informations how you can use NAC as Radius and ask the AD for more information.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-compu...

In my opinion you are more flexible if you do the authentication and authorization direct on the NAC and you have not to ask a Windows Server admin for support.

But there are situation the proxy solution is more beneficial.

Best regards
Stephan

Ilya

Please try this link if you are still having problems: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-computer-using-802-1x-and-LDAP-lookups-to-ensure-the-user-AND-computer-is-in-the-domain-denying-access-to-users-with-valid-domain-credentials-on-BYOD-devices

-Gareth
Userlevel 5
Here is another threat with a discussion about the differences about Radius and NAC:

https://community.extremenetworks.com/extreme/topics/nac-vs-seperate-radius-server

Best regards
Stephan

Reply