Thank you for the breakdown of what each of those do. That definitely helps me understand the process and what's going on. At the end of the day using IPsec is a great idea. We have talked about using that with other systems in the past. That is definitely worth bringing up as an option at work. The other option that is appealing is TTLS/PAP. I spun up a server at the end of the day today to start testing that out. Does it play well with active directory using Kerberos? That option sounds nice because traffic is encrypted at both ends of the FreeRADIUS server. I had been doing some research to get a better understanding on how all this worked. Alan DeKok had some great references at deployingradius.com to help me understand how all this works. I really appreciate all your guys help and feedback. I wasn't sure if FreeRADIUS had an active community or not. I've not seen a lot of talk in the freenode IRC channel. Its really nice you guys have something like this mailing list setup.
John McCarthy wrote:
The other option that is appealing is TTLS/PAP. I spun up a server at the end of the day today to start testing that out. Does it play well with active directory using Kerberos? That option sounds nice because traffic is encrypted at both ends of the FreeRADIUS server.
TTLS + PAP will work fine with Kerberos. You'll need to edit sites-enabled/inner-tunnel, and add "krb5" to the "authenticate" section. Then, in the "authorize" section, do: if (User-Password) { update control { Auth-Type := krb5 } } Also configure the krb5 file in mods-enabled/krb5. You should have Kerberos working about 30 seconds later.
I had been doing some research to get a better understanding on how all this worked. Alan DeKok had some great references at deployingradius.com to help me understand how all this works.
Thanks. Lots of people find it useful. Alan DeKok.
TTLS + PAP will work fine with Kerberos. You'll need to edit sites- enabled/inner-tunnel, and add "krb5" to the "authenticate" section. Then, in the "authorize" section, do:
Also be aware of one thing... EAP-TTLS/PAP uses an EAP method outside (EAP-TTLS) and a non-EAP method inside (PAP). If you are required (by software for example) to have an EAP authentication method in the TTLS tunnel, EAP-MD5 (the default) or EAP-GTC will likely be close enough on the FreeRADIUS end (i.e. you have either EAP-TTLS/EAP-MD5, or EAP-TTLS/EAP-GTC with GTC set to the default PAP authentication). EAP-MD5 (the default in the 'ttls' section of the 'eap' module) would *not* be the same as PAP, so it may not help with a Kerberos auth setup. With Regards Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
On Wed, Apr 09, 2014 at 08:13:27PM -0400, John McCarthy wrote:
The other option that is appealing is TTLS/PAP. I spun up a server at the end of the day today to start testing that out. Does it play well with active directory using Kerberos? That option sounds nice because traffic is encrypted at both ends of the FreeRADIUS server.
Just note that Windows 7 and before have no built-in support for TTLS/PAP, so you have to use 3rd party supplicant software. Windows 8 (and MacOS and Linux and most other things) support it. The reason why PEAP/EAP-MSCHAPv2 is so prevalent is that, if you want to log in with a username and password, it is essentially the only mechanism that Microsoft have supported until recently, and nobody generally wants to faff around with either TLS certificate management or installing other supplicants. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Alan DeKok -
John McCarthy -
Matthew Newton -
stefan.paetow@diamond.ac.uk