Manage client in LDAP...
I'm not an expert on freeradius, but at work i manage successfully a setup with freeradius binded to an AD domain, successfully autheticate wireless clients with MSCHAPv2. At home i need to extend my wireless coverage (for now, i use an hostapd and a wireless interface in my server), and so i've thinked about using LDAP as a source for auth data, using as AP some OpenWRT/LEDE routers. Yes, i can use WPA/WPA2 personal, but i want to experiment and continue to assign different credential for different MAC addess. ;) I've found the basic setup info on: https://wiki.freeradius.org/modules/Rlm_ldap and some other info on how add clients to the LDAP on: https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html#id... Also i've found some forum/blog pages around, but all seems to be about freeradius 2, and does not provide clues on why (at least to me). For example, i suppose i have to use WPA2-Enterprise with EAP-TTLS, but i've not found a place that clarify if the password in LDAP have to be 'in clear', or hashed, and how hashed. Someone have some info, or a good link? Thanks. -- There are only 10 kinds of people in the world -- Those who understand binary, and those who don't. (Roberto Maglica)
On Oct 10, 2021, at 12:15 PM, Marco Gaiarin <gaio@lilliput.linux.it> wrote:
I'm not an expert on freeradius, but at work i manage successfully a setup with freeradius binded to an AD domain, successfully autheticate wireless clients with MSCHAPv2.
That's good.
At home i need to extend my wireless coverage (for now, i use an hostapd and a wireless interface in my server), and so i've thinked about using LDAP as a source for auth data, using as AP some OpenWRT/LEDE routers. Yes, i can use WPA/WPA2 personal, but i want to experiment and continue to assign different credential for different MAC addess. ;)
OK.
I've found the basic setup info on:
https://wiki.freeradius.org/modules/Rlm_ldap
and some other info on how add clients to the LDAP on:
https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html#id...
I think you mean adding user accounts to LDAP. But OK...
Also i've found some forum/blog pages around, but all seems to be about freeradius 2, and does not provide clues on why (at least to me).
People write docs, and then don't update them for 10 years. :(
For example, i suppose i have to use WPA2-Enterprise with EAP-TTLS, but i've not found a place that clarify if the password in LDAP have to be 'in clear', or hashed, and how hashed.
It depends...
Someone have some info, or a good link? Thanks.
http://deployingradius.com/documents/protocols/compatibility.html What's safest is to put salted / encrypted passwords into the database, and then use TTLS+PAP. But not everything supports this. Alan DeKok.
Mandi! Alan DeKok In chel di` si favelave...
https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html#id...
I think you mean adding user accounts to LDAP. But OK...
Yes, sure... i was 'confused' on how auth data have to be saved on LDAP, so...
http://deployingradius.com/documents/protocols/compatibility.html What's safest is to put salted / encrypted passwords into the database, and then use TTLS+PAP. But not everything supports this.
OK; so probably a better query would be against 'freeradius eap ttls pap ldap'... found: https://carloalbertoscola.it/2019/network/security/linux/freeradius-3-setup-... minus mysql, plus ldap... ;-) -- Worrying about case in a Windows (AD) context is one of the quickest paths to insanity. (Patrick Goetz)
participants (2)
-
Alan DeKok -
Marco Gaiarin