Re: FR + EAP-GTC + LDAP (SHA1)

gabriel_skupien gabriel_skupien at o2.pl
Thu May 21 15:01:16 CEST 2015


>  That's probably not necessary.  Just use "auth_type = PAP".  And be sure
>  to list "ldap" in the "authorize" section.

I tried this and it is not working. It did not even try to bind to LDAP as a user.

>>    2) in sites-enabled/default: -authorize section - not touched, -authentication section - uncomment "Auth-Type LDAP { ldap }", And it is working fine! 

>  You're usually better off letting the PAP module do the authentication. 

I do not understand how could it work without uncomment "Auth-Type LDAP { ldap }" in the authenticate section. How would FR know to do LDAP auth without it?

>  But if it works, leave well enough alone.

  >>  Now, the questions: a) I am afraid about your comments in gtc section. It stands that: # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module "challenges" the user with # text, and the response from the user is taken to be # the User-Password. # # Proxying the tunneled EAP-GTC session is a bad idea, # the users password will go over the wire in plain-text, # for anyone to see. Can I use eap-gtc "alone" without PEAP/TTLS? 

>  Yes, but the passwords go over the network in the clear.

No, they do not. Strongswan is the EAP client in that case, IPsec protects communication between the clients and Strongswan server, additionally FR is installed on the same machine so TTLS does not add any value here.

>>    Secure tunnel is delivered via IPsec connection so I do not bother about security in that case. What is your opinion? 

>  Can anyone ELSE on the network monitor the traffic in the IPSec
>  connection?  If so, they will be able to see everyone else's traffic.

See above.

Gabriel



More information about the Freeradius-Users mailing list