netscreen webauth with windows ad account and group via freeradius-11762130

　　author contact: shezho@gmail.com
　　I got a task to integrate our corp windows AD  with our netscreen firewall webauth function. before this our firewall supports only
　　local users, that causes big work  load to create accounts especially when the user number grows more and more.
　　To use windows AD, ldap firstly comes into mind but soon I found it’s not usable as I even can’t find where to define the ldap search account and password. As I know on SRX this will work quite well and simply by using ldap to interconnect with windows AD from firewall.
　　Then I consider netscreen+ radius+windows AD. it’s easy to find a lot of articles about using IAS to achieve this, but it doesn’t work for me
　　as it requires to install IAS on windows AD, as I am not authorized to do that.
　　then I figureout the way netscreen+freeradius+ windows AD as below.
　　1. install freeradius：
　　yum install freeradius freeradius-ldap
　　you may need install epel before this if you haven’t done:
　　yum install epel-release
　　2. config freeradius：
　　a. Edit /etc/raddb/clients.conf
　　add netscreen as the client of freeradius:
　　.....
　　client <your_netscreen_IP> {
　　secret = <your secretkey>
　　nastype = other
　　}
　　......
　　b. edit /etc/raddb/modules/ldap
　　At the beginning of radius to use ldap to authenticate a user, it will send a bind firstly with the search account, then it search the account of the user to be webauthed, and then it bind this webauth user account. if each step succeeds, radius reply access accept to netscreen.
　　so we have to provide the config file with a search account and some information of the webauth account such as the base DN.
　　Define your ldap server as the windows AD server as below
　　including the ldap search account(identity+ password) information:
　　......
　　ldap {
　　#
　　#  Note that this needs to match the name in the LDAP
　　#  server certificate, if you're using ldaps.
　　server = <your windows ad server ip>

　　>　　password = <password of user admin>
　　basedn = "ou=test,dc=test,dc=com"
　　filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
　　#base_filter = "(objectclass=radiusprofile)"
　　.......
　　c. /etc/raddb/sites-available/default
　　enable the ldap authentication in default file by uncomment the ldap line in different sections at least in auth section.
　　d.edit the attribute map file  /etc/raddb/ldap.attrmap
　　add below line:
　　replyItemNS-User-Group                   memberOf
　　or:
　　replyItemNS-User-Group                   memberOf        +=
　　The difference between the two lines is there is operators “+=” in the second line, which is used when the user belongs to more than one group and you want
　　all the group information to be replied to the netscreen. normally this operator is used for multi-valued attributes.
　　3. config netscreen:
　　a. set radius server information
　　set auth-server "my_radius">
　　set auth-server "my_radius" server-name <put your free radius ip address here>
　　set auth-server "my_radius" radius port 1812
　　set auth-server "my_radius" radius secret <your radius secret key>
　　set auth radius accounting port 1646
　　b. config web auth:
　　set webauth server "my_radius"
　　set interface "ethernet5/3" webauth
　　set interface "ethernet5/3" webauth-ip <your netscreen ip used for webauth>
　　set webauth server "my_radius"
　　c. config user group information, the group name should be the same as user group information defined on windows AD.
　　user group information on AD is described in memberOf attribute.
　　set user-group "CN=group1,OU=test,DC=test" type auth
　　set user-group "CN=group2,OU=test,DC=test" type auth
　　d. define the policy which allows the specific group to access the resource:
　　set policy>
　　this allows user in the group1 to access server1 from host1 after the user passes the web authentication at the web page: http://<your netscreen ip used for webauth>