Freeradius, EAP-TTLS ans eDirectory
Hi all, We are working in a RFP and one of the customer's requirement is that we must support EAP-TTLS with Freeradius integrated with eDirectory as back-end. We were reading the Novell documentation and at the Novell page, there appears "How to integrate Novell® eDirectoryTM 8.7.1 or later with FreeRADIUS 1.0.2 on wards to allow wireless authentication for eDirectory users." and it not mntions EAP-TTLS (only EAP-TLS) SO, Some questions: 1) First, can we use Freeradius with EAP-TTLS and eDirectory as back end ? 2) if we can waht version of frereadius should we use ? 3) Ca someone send us information about how do that? I would appreciate any hel ASAP Thanks in advance.
Mariano Morano wrote:
Hi all, We are working in a RFP and one of the customer's requirement is that we must support EAP-TTLS with Freeradius integrated with eDirectory as back-end.
We were reading the Novell documentation and at the Novell page, there appears "How to integrate Novell® eDirectoryTM 8.7.1 or later with FreeRADIUS 1.0.2 on wards to allow wireless authentication for eDirectory users." and it not mntions EAP-TTLS (only EAP-TLS)
SO, Some questions:
1) First, can we use Freeradius with EAP-TTLS and eDirectory as back end ? 2) if we can waht version of frereadius should we use ? 3) Ca someone send us information about how do that?
I would appreciate any hel ASAP
Thanks in advance.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Follow Novells latest document about Integrate Novell® eDirectoryTM with FreeRADIUS
Then just make sure that these lines are present and uncommented in radius.conf # radius.conf (Fresh install these lines are present and uncommented in radius.conf) $INCLUDE ${confdir}/eap.conf authorize { eap } authenticate { eap } post-proxy { eap } then change eap.conf to look something like this.... eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { #challenge = "Password: " auth_type = PAP } tls { private_key_password = example-password private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { # default_eap_type = md5 # you may have to uncomment eithor one of these depends on your configuration... # default eap_type = pap # copy_request_to_tunnel = no use_tunneled_reply = no } # peap { # default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes #} mschapv2 { } } Create the certificates.... configure proxy.conf and client.conf and user.conf to suit your needs and your ready to go Best Regards Johann B.
Thanks Jóhann !! Could you send me the documentation from were you cut it ? Thanks again
"Jóhann B. Guðmundsson" <johannbg@hi.is> 11/28/2006 11:22 AM >>> Mariano Morano wrote: Hi all, We are working in a RFP and one of the customer's requirement is that we must support EAP-TTLS with Freeradius integrated with eDirectory as back-end.
We were reading the Novell documentation and at the Novell page, there appears "How to integrate Novell® eDirectoryTM 8.7.1 or later with FreeRADIUS 1.0.2 on wards to allow wireless authentication for eDirectory users." and it not mntions EAP-TTLS (only EAP-TLS)
SO, Some questions:
1) First, can we use Freeradius with EAP-TTLS and eDirectory as back end ? 2) if we can waht version of frereadius should we use ? 3) Ca someone send us information about how do that?
I would appreciate any hel ASAP
Thanks in advance.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Follow Novells latest document about Integrate Novell® eDirectoryTM with FreeRADIUS
Then just make sure that these lines are present and uncommented in radius.conf # radius.conf (Fresh install these lines are present and uncommented in radius.conf) $INCLUDE ${confdir}/eap.conf authorize { eap } authenticate { eap } post-proxy { eap } then change eap.conf to look something like this.... eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { #challenge = "Password: " auth_type = PAP } tls { private_key_password = example-password private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { # default_eap_type = md5 # you may have to uncomment eithor one of these depends on your configuration... #default eap_type = pap # copy_request_to_tunnel = no use_tunneled_reply = no } # peap { # default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes #} mschapv2 { } } Create the certificates.... configure proxy.conf and client.conf and user.conf to suit your needs and your ready to go Best Regards Johann B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mariano Morano wrote:
Thanks Jóhann !!
Could you send me the documentation from were you cut it ?
Thanks again
"Jóhann B. Guðmundsson" <johannbg@hi.is> 11/28/2006 11:22 AM >>> Mariano Morano wrote: Hi all, We are working in a RFP and one of the customer's requirement is that we must support EAP-TTLS with Freeradius integrated with eDirectory as back-end.
We were reading the Novell documentation and at the Novell page, there appears "How to integrate Novell® eDirectoryTM 8.7.1 or later with FreeRADIUS 1.0.2 on wards to allow wireless authentication for eDirectory users." and it not mntions EAP-TTLS (only EAP-TLS)
SO, Some questions:
1) First, can we use Freeradius with EAP-TTLS and eDirectory as back end ? 2) if we can waht version of frereadius should we use ? 3) Ca someone send us information about how do that?
I would appreciate any hel ASAP
Thanks in advance.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Follow Novells latest document about Integrate Novell® eDirectoryTM with FreeRADIUS
Then just make sure that these lines are present and uncommented in radius.conf
# radius.conf (Fresh install these lines are present and uncommented in radius.conf)
$INCLUDE ${confdir}/eap.conf
authorize { eap }
authenticate { eap }
post-proxy { eap }
then change eap.conf to look something like this....
eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no
md5 { }
leap { }
gtc { #challenge = "Password: " auth_type = PAP }
tls { private_key_password = example-password private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes }
ttls { # default_eap_type = md5 # you may have to uncomment eithor one of these depends on your configuration... #default eap_type = pap # copy_request_to_tunnel = no use_tunneled_reply = no }
# peap { # default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes #} mschapv2 { } }
Create the certificates....
configure proxy.conf and client.conf and user.conf to suit your needs and your ready to go
Best Regards Johann B.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You will get the documentation ( Read the comments in eap.conf and radius.conf ) when you install freeradius. eap.conf is just default eap.conf with stripped comments out of it and changes to
default_eap_type = md5 --> default_eap_type = tls ( which I think novell document tells you to do, havent read it) and I added #default eap_type = pap since I didnt now how your password were encrypted ( pap supports clear-text NT-has MD5-hash Salted-MD5-hash SSHA1-hash Salted-SSHA1-hash Unix-Crypt) Best regards Johann B.
participants (2)
-
"Jóhann B. Guðmundsson" -
Mariano Morano