freeradius -peap ad/ldap
joe vieira
jvieira at clarku.edu
Thu Mar 15 19:02:05 CET 2007
Sam Schultz wrote:
> On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira <jvieira at clarku.edu>
> wrote:
>
>> Alan DeKok wrote:
>>
>>> joe vieira wrote:
>>>
>>>
>>>> i have eap-peap authentication working against our ad domain.
>>>>
>> peachy
>>
>>>> keen. what i would like to be able to do is, in our openldap
>>>> environment, store attributes for retrieval by radius, cisco
>>>>
>> stuff/
>>
>>>> etc... i assume the way to do this would be to use the
>>>>
>> authorization
>>
>>>> sections, but if you add ldap to that then it automatically
>>>>
>> adds ldap
>>
>>>> authentication...which i don't want..
>>>>
>>>>
>>> Upgrade to a newer version of the server, which doesn't do
>>>
>> that.
>>
>>>
>>>
>> which versions would that be?
>>
>
> OK, I think I understand what you're asking. If you want to use LDAP
> for authorization ONLY, and something else for authentication, you
> could put an entry like this in your 'users' file:
>
> DEFAULT <check_items (ex: Realm == 'your_domain')>
> Autz-Type := <your_ldap_instance (ex: ldap)>,
> Auth-Type := <module_instance_for_authentication>
>
> Setting Autz-Type forces a certain type of authorization. Setting
> Auth-Type forces a certain type of authentication. Doing this in a
> DEFAULT entry causes ALL users that have Fall-Through set to yes to
> be passed through the specified authorization & authentication
> method.
> This could also be set on a per-user basis by changing DEFAULT to
> the
> a given user's username.
>
so i did what you recommended, which makes sense to do... i have
Autz-type := eap, and in debug mode i get this clearly an access-reject
follows.
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
obviously their is a module called eap..else the daemon would not start...
what do you think?
Joe
More information about the Freeradius-Users
mailing list