Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

[John Dennis]

On 04/10/2013 12:03 AM, pramod kulkarni wrote:
>     Thanks John for the reply.
>     can I use EAP-TLS method of authentication with LDAP as backend
>     datastore to check usernames and passwords.
 >     It would be like I bind to RADIUS server with EAP-TLS method using
 >     certificate and check usernames and passwords from LDAP server
 >     if yes on EAP-TLS can you please tell me how to configure EAP-TLS
 >     with LDAP as backend datastore.

This is a nonsensical question, EAP-TLS uses certificates. You do not 
yet understand some of the basics. You need to invest some time in 
learning the what the authentication mechanisms are and how they 
operate, this is a good starting place.

http://deployingradius.com/documents/protocols/

>     Basically I want to avoid harcoded usernames and passwords in raddb
>     of RADIUS server for authenticating users which I am doing currently .

What the configuration block in modules/ldap is setting up is how the 
radius server can communicate with the LDAP server in a peer-to-peer 
relationship. The LDAP server has to know who the radius server is and 
if it has permission to access other users passwords and password 
hashes. Therefore radiusd must authenticate to LDAP. This process is 
completely *independent* of any of the authentication protocols, it's 
merely establishing if radius can view certain data.

The way rlm_ldap is currently coded only simple binds (i.e. password 
based) are supported, therefore you must store a password in raddb. You 
are correct this is a security issue, however only root and the radius 
process should be able to read the file. On our systems we make sure the 
permissions and identities the processes run under assure this, if 
you've installed via some other mechanism it behooves you to assure the 
radius user and group are properly configured as well as the file 
permissions on the config files. Any by the way no I won't tell you how 
to do this, it's system admin 101. I'm pretty sure the defaults assure 
this as well, but I haven't verified.

There are other ways to establish the trust between radiusd and LDAP 
beside simple binds which do not involve passwords. All of these use 
SASL in some form. Unfortunately rlm_ldap does not support them. I know 
Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't 
know if SASL support was added or not. In any event this is an open 
source project and if you want this functionality then the usual mantra 
"Patches Welcome" applies.

Oh, and by the way just in case you're confused as to the TLS parameters 
in the ldap config, they have nothing to do with binding (i.e. 
authenticating radiusd to LDAP), their purpose is to establish a secure 
tunnel between radiusd and LDAP. You can request the tunnel only be 
established if certificate based authentication succeeds but a simple 
bind will still be performed inside the tunnel.

HTH,

John

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/