authentication question
Hi, I am trying to authenticate our wired Windows users by using rlm_perl module over secured IMAP. When I give radtest command with a user-name and user-password it accepts; --------------------------------------------------------------------------- # radtest USERNAME PASSWORD localhost 0 testing123 Sending Access-Request of id 201 to 127.0.0.1 port 1812 User-Name = "USERNAME" User-Password = "PASSWORD" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=201, length=20 --------------------------------------------------------------------------- *Radeapclient also works if I supply User-Password. But xp supplicants (naturally) doesn't send user-passwords while using eap-md5. And I really don't want to create thousands of client certificates. Which protocol do I have to use or... Is it possible? Is there a way to authenticate winxp (and vista (and also Macos users)) users without installing any client program? Supplicant (winxp) ---- NAS (hp2626) -------- WAN | | RS -- rlm_perl ----- IMAP(s) or POP3(s) servers (more than one) Thanks
Emre Ersin wrote:
I am trying to authenticate our wired Windows users by using rlm_perl module over secured IMAP.
That won't work. http://deployingradius.com/documents/protocols/oracles.html IMAP fits the same column as "LDAP bind as user".
When I give radtest command with a user-name and user-password it accepts;
Because you are supplying a clear-text password. 802.1x authentication does not do that.
But xp supplicants (naturally) doesn't send user-passwords while using eap-md5. And I really don't want to create thousands of client certificates. Which protocol do I have to use or...
Is it possible? Is there a way to authenticate winxp (and vista (and also Macos users)) users without installing any client program?
Yes. Use PEAP. It's built into Windows. For wired authentication, EAP-MD5 should work, too.
Supplicant (winxp) ---- NAS (hp2626) -------- WAN | | RS -- rlm_perl ----- IMAP(s) or POP3(s) servers (more than one)
Why? The IMAP/POP servers have a user database. Use that to authenticate 802.1x users. Using rlm_perl && IMAP/POP is horrible. Plus, it won't work. Alan DeKok.
participants (2)
-
Alan DeKok -
Emre Ersin