FR + LDAP + PAM + encryption question
From my recent thread with Alan, I have gathered that ldap only supports PAP.
PAP sends the password in plain text. Is it possible to encasuplate PAP inside another protocol say EAP to prevent from packet sniffers etc. Failing that is it possible to asign vlans bases on ldap primary group via the ntlm_auth method.
Jacob Jarick wrote:
Is it possible to encasuplate PAP inside another protocol say EAP to prevent from packet sniffers etc.
Please stop worrying about how RADIUS works. It's fine. Packet sniffers can't grab the PAP passwords.
Failing that is it possible to asign vlans bases on ldap primary group via the ntlm_auth method.
No. ntlm_auth is just for authentication. You have to configure the server to do LDAP group lookups for per-group VLAN assignment. See messages on this list in the last week or so, which include examples. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
lol, I admit I am a stress case :P One more question before crashing out tonight, which would u say is a more secure method ntlm_auth -> win2k3 ADS or ldap -> win2k3 ADS considering the encryption / encapsulation methods available. Or is this another instance where Im over thinking the isssue. On 4/23/07, Alan DeKok <aland@deployingradius.com> wrote:
Jacob Jarick wrote:
Is it possible to encasuplate PAP inside another protocol say EAP to prevent from packet sniffers etc.
Please stop worrying about how RADIUS works. It's fine.
Packet sniffers can't grab the PAP passwords.
Failing that is it possible to asign vlans bases on ldap primary group via the ntlm_auth method.
No. ntlm_auth is just for authentication. You have to configure the server to do LDAP group lookups for per-group VLAN assignment. See messages on this list in the last week or so, which include examples.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Jacob Jarick