wireless+freeradius+AD

Laker Netman laker_netman at yahoo.com
Sun Nov 20 05:51:21 CET 2005


Comments below.

--- Alan DeKok <aland at ox.org> wrote:

> Laker Netman <laker_netman at yahoo.com> wrote:
> > First: We do not allow anonymous binding to our AD
> > LDAP. So, for testing to date, I have used
> > "Administrator" and the associated password in the
> > config file.  Obviously this is less than ideal :)
> > What is the best or better alternative?  Allowing
> > anonymous bind?  Creating a bind-only "user" for
> auth
> > purposes?
> 
>   The server needs to bind to AD only to get group
> information.  If
> you can configure a user on AD that is permitted
> only to do that, that
> would be the best thing.
> 
Not sure I understand.  To my knowledge, currently our
AD doesn't contain any info that would differentiate a
"wireless" user from one who is "wired". Based on the
authenticating NAS (which is identifiable as wired vs
wireless at least to RADIUS) how could I tie that to
an AD group? If this is possible, where is the FAQ
describing the setup process?

> > Am I correct that the NAS passes the username and
> > password to FR in cleartext?
> 
>   Not for wireless.

So, when I see cleartext passwords (provided to RADIUS
via NAS auth dialogs) in a "radiusd -X" output to the
terminal it's due to the fact that they have already
been decoded via the symmetric NAS-RADIUS key?

> 
> > Is there any method to send/receive the password
> > between FR and AD encrypted?
> 
>   SSL.

A URL or path to the RADIUS doc supporting this would
be appreciated.

> 
> > Lastly, as I mentioned earlier, I have googled,
> read,
> > googled, read, a *lot* of info.  Is there a
> CONCISE
> > site anywhere on the web the defines everything
> needed
> > without leaving out the *one* critical piece that
> > actually makes it work? ;-)
> 
>   I'm not sure what you mean by that.  The HOWTO's
> describe how to
> configure wireless with FreeRADIUS, and LDAP. 
> Follow the instructions
> and they will work.
> 
>   Do you know what you want from wireless and AD? 
> It sounds like the
> "one critical" piece you're looking for is something
> to solve a
> problem you haven't articulated.
> 
>   Alan DeKok.
>
 
My statement was intentionally flippant, though not
meant to be disrepectfully so. It is the culmination
of much frustration at finding lots of tangible data
to make a functional system, yet, all of the pages
tend to end with the cliche (paraphrasing now) "and
some other settings we all know it needs..." We who?
I'm not stupid, but I'm not perfect. THAT'S why I'm
seeking help (not judgement) from the list. If there
are useful docs I haven't found, tell me. If I don't
fully understand what I'm reading and ask for help,
either help me or don't. Please refrain from the
"holier than thou" routine.
I have read the majority of your posts since 2002 Mr.
DeKok. Clearly, you are quite knowledgable regarding
RADIUS. However, your disdain for the mortals who wish
to use a tool, rather than wonder at its mystical
intricacies is evident on repeated occasions in your
responses. So not everyone is as clever as you...
insult or help, which produces a better outcome?

Laker

> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 



	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com



More information about the Freeradius-Users mailing list