eap-gtc error in authentication
Fajar A. Nugraha
work at fajar.net
Wed Nov 24 14:53:38 CET 2010
On Wed, Nov 24, 2010 at 3:51 PM, Alexander Clouter <alex at digriz.org.uk> wrote:
> Robert Masters <RMasters at bunnings.com.au> wrote:
>>
>> We've been working on using Freeradius on RHEL5.4 to link a Motorola
>> RFS6000 with Oracle OID.
> What I use, other than just a version of FreeRADIUS from this decade, is
> something like the following:
> ----
> eap {
> ...
>
> # do *not* pass to a inner virtual server for GTC (unless you
> # want to do secondary authentications, two-factor?)
If Robert is using Oracle OID like we've been using Lotus Domino's
LDAP, then you'd want to pass it to inner tunnel.
> This is wrong and unnecessary, you should never sent the Auth-Type
> (except to Reject or Accept); especially to 'LDAP'.
You need to, on some special cases (at least on the freeradius version
I'm using, 2.1.6). The "special case" here is when you're
authenticating against LDAP database, but the schema doesn't store
cleartext-password or some form of password crypt compatible with
freeradius, leaving you only with LDAP bind for authentication.
See http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65103.html
for relevant part in my config.
--
Fajar
More information about the Freeradius-Users
mailing list