Hi, We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users. We can get it to do one or the other, but not both. Is it possible to do both? If so, how? Thanks Matt mda@unb.ca
Matt Ashfield wrote:
We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users.
http://deployingradius.com/documents/protocols/compatibility.html LDAP doesn't do CHAP, so I'm not sure what you mean. The only EAP methods that are compatible with /etc/password is EAP-GTC, or TTLS with tunneled PAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I guess what I meant was that we'd want to authenticate the user in one of two ways: (1) as a System User. So the clients credentials would be compared against the system users, OR, if no such user exists (2) verify the client against credentials stored in LDAP. Both of these scenarios work individually. Meaning I can configure FR to authenticate System users. I can also configure FR to authenticate against LDAP. But we cannot seem to combine them and offer both options. Matt mda@unb.ca -----Original Message----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: March 9, 2007 11:21 AM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: EAP and System users? Matt Ashfield wrote:
We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users.
http://deployingradius.com/documents/protocols/compatibility.html LDAP doesn't do CHAP, so I'm not sure what you mean. The only EAP methods that are compatible with /etc/password is EAP-GTC, or TTLS with tunneled PAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Matt Ashfield wrote:
I guess what I meant was that we'd want to authenticate the user in one of two ways:
(1) as a System User. So the clients credentials would be compared against the system users,
OR, if no such user exists
(2) verify the client against credentials stored in LDAP.
See doc/configurable_failover. It's easier in the CVS head, because the "unix" module doesn't have an "authenticate" section any more, as it doesn't need one. There, you can do: group { unix { updated = return } ldap }
Both of these scenarios work individually. Meaning I can configure FR to authenticate System users. I can also configure FR to authenticate against LDAP. But we cannot seem to combine them and offer both options.
Perhaps you could paste part of your configuration && part of the debug log. Odds are you're forcing system authentication, so that works... OR you're forcing LDAP, so that works. But forcing one means that the other is forbidden. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Matt Ashfield