A.L.M.Buxey@lboro.ac.uk wrote:
"captive portal" - there are several software tools that will do this... eg http://en.wikipedia.org/wiki/Captive_portal
most people seem to be moving away from this method as it is riddled with possible security compromises.
Thanks for the heads-up. I'll take a look at it, but keep in mind the possible security implications (i'll google).
PAP uses clear text (unencrypted) password authentication. whilst the EAP-TTLS traffic is encrypted (and the PAP lurks inside that encrypted session) when you CAN see the PAP in the clear is when its being sent over to LDAP - so you need to make sure that that communication is encrpyted...either by making sure its configured to use SSL for its communication channel...or simply 'stunnel'ing the traffic.
start_tls = no
^^^^^^^^^^^^^^
this!
As mentioned in my reponse to Stefan, this is not a concern for me as they're on the same host communicating exclusively over the loopback interface. On a side-note, I've now noticed that radius doesn't appear to be respecting my ldap filter. base_filter = "(objectclass=radiusprofile)" but i can authenticate as a user without a radiusprofile attribute. Ideas? Thanks, John