On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira <jvieira@clarku.edu> wrote:
Alan DeKok wrote:
joe vieira wrote:
i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want..
Upgrade to a newer version of the server, which doesn't do that.
which versions would that be?
OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT <check_items (ex: Realm == 'your_domain')> Autz-Type := <your_ldap_instance (ex: ldap)>, Auth-Type := <module_instance_for_authentication> Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization & authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Click here for free information on nursing jobs, up to $150/hour http://tagline.hushmail.com/fc/CAaCXv1Rz1mAIkYFfrrMgKeHIMrG3Yzo/
Sam Schultz wrote:
On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira <jvieira@clarku.edu> wrote:
Alan DeKok wrote:
joe vieira wrote:
i have eap-peap authentication working against our ad domain.
peachy
keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco
stuff/
etc... i assume the way to do this would be to use the
authorization
sections, but if you add ldap to that then it automatically
adds ldap
authentication...which i don't want..
Upgrade to a newer version of the server, which doesn't do
that.
which versions would that be?
OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file:
DEFAULT <check_items (ex: Realm == 'your_domain')> Autz-Type := <your_ldap_instance (ex: ldap)>, Auth-Type := <module_instance_for_authentication>
Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization & authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username.
so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access-reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. obviously their is a module called eap..else the daemon would not start... what do you think? Joe
participants (2)
-
joe vieira -
Sam Schultz