PEAP/MS-CHAPv2 for some, Kerberos (or PAM) for others...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, First off, thanks to Alan and the "Configuring Authentication against Active Directory" HOWTO[1] for assistance in getting 802.1X authenticating against AD for WPA2 Enterprise. I currently have PEAP/MS-CHAPv2 authenticating against AD, TTLS/PAP against MIT Kerberos 5, and PEAP/MS-CHAPv2 against krb5 via KCRAP[2], thanks to a colleague who was already hacking on KCRAP for another project. (My supervisor wanted options...) Separately, they each work very smoothly, and PEAP/MS-CHAPv2/KCRAP will be going to production shortly. It would seem there are potentially multiple ways to execute my next task, and I wanted to ping the group for ideas on the most elegant way to do it. It seems like it could get complicated pretty quickly, and I'd like to avoid unnecessary config bloat. If I have to run two RADIUS servers to maintain sanity, that's fine. I'd like to integrate the function of an older RADIUS server (FR 1.0.1) into the new one (FR 2.1.3), which handles 802.1X. The old FR box handles authentication for a VPN concentrator. It has some static users defined, then defaults to PAM (which, in this context, means krb5). Krb5 works fine on the FR 2.1.3 config if I append: DEFAULT Auth-Type := Kerberos to the users file. Doing so breaks all tunneled EAP methods (which reading leads me to believe is predictable). Using PAM gives similar results, and I figured it better to use FR's native krb5 support anyway. I started down the path indicated in a seemingly-similar thread[3] from February of 2008, but my understanding of FR is still not good enough that I can parlay those (mostly FR1.x) instructions into a valid FR2.x config, in spite of Phil Mayers' general comments re: using 2.x's virtual server functionality. Are EAP and DEFAULTs mutually-exclusive? If not, what's the most effective way to approach this? Your thoughts on the matter are appreciated. I apologize in advance if there's already a wiki page or thread that deals with this, and accept links to such posts with great gusto. :-) Cheers, - -sth [1]http://deployingradius.com/documents/configuration/active_directory.html [2]http://www.spock.org/kcrap [3]http://www.nabble.com/PEAP-EAP-TTLS-acquires-DEFAULT-reply-attributes-via-ou... sam hooker|http://www.noiseplant.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmQqIoACgkQX8KByLv3aQ1YxgCgsrheI8q4pzFfHfkMJrHEVd7l NFQAmwX1Us7zhDQi8MRop1qUapJ5d8I+ =ptp9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Feb 9, 2009, at 4:05 PM, sth wrote:
I'd like to integrate the function of an older RADIUS server (FR 1.0.1) into the new one (FR 2.1.3), which handles 802.1X. The old FR box handles authentication for a VPN concentrator. It has some static users defined, then defaults to PAM (which, in this context, means krb5). Krb5 works fine on the FR 2.1.3 config if I append:
DEFAULT Auth-Type := Kerberos
to the users file. Doing so breaks all tunneled EAP methods (which reading leads me to believe is predictable). Using PAM gives similar results, and I figured it better to use FR's native krb5 support anyway.
I started down the path indicated in a seemingly-similar thread[3] from February of 2008, but my understanding of FR is still not good enough that I can parlay those (mostly FR1.x) instructions into a valid FR2.x config, in spite of Phil Mayers' general comments re: using 2.x's virtual server functionality.
Are EAP and DEFAULTs mutually-exclusive? If not, what's the most effective way to approach this? Your thoughts on the matter are appreciated. I apologize in advance if there's already a wiki page or thread that deals with this, and accept links to such posts with great gusto. :-)
One way would be to not manually set Auth-Type in the users file and instead use unlang: authorize { ... update control { Auth-Type = Kerberos } } This would set Auth-Type to Kerberos if and only if no other modules in the authorize section (such as files or eap) set Auth-Type. See 'man unlang' for more details. Mike Loosbrock Bethel University Network Services 651-638-6723
participants (2)
-
Mike Loosbrock -
sth