On Tue, Mar 04, 2008 at 11:18:49AM +0000, Phil Mayers wrote:
How does the PAP module attempt to do the authentication? Does it do an authenticated bind as the user or does it get the password variable and compare it to something stored?
The latter.
Basically rlm_pap takes the User-Password in the request, and compares it against "the correct" password for the user.
The ldap module is expected to have extracted the password from LDAP (see below).
There is another mode where PAP requests can be authenticated by rlm_ldap, using simple bind against the LDAP server - that's the
authenticate { Auth-Type LDAP { ldap } }
...stuff, but you should avoid doing that if at all possible. In particular it won't support PEAP/MS-CHAP, the only really useful EAP type supported by the windows XP/vista 802.1x supplicants.
The suggestions made so far have been to uncomment this authenticate entry. Once working should I be looking at commenting it out again and getting EAP to work without the above bind?
I don't know specifically what the NMAS nonsense is, but a glance at the rlm_ldap source code indicates it's a Novell-proprietary LDAP extension which the LDAP client (in this case, FreeRadius) has to call to get at the plaintext password for the user.
Ah, after another google search I've found another Novell article on freeradius: https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SA... which suggests using 'tls_mode=yes' and the port as 636. I've tried it and it works - I can authenticate! However this option doesn't appear in the radiusd.conf - is it deprecated or just not documented? Seems that eDirectory needs an encrypted session before it'll present the password in clear text. Makes sense. I've also tried it with 'start_tls=yes' and port as 389, this also seems to work. Which is the prefered method? Novell suggest the former but as it isn't documented... Thanks, Mike -- Mike Richardson Networks IT Services, University of Manchester *Plain text only please - attachments stripped on arrival*