freeradius 2.05 peap and ldap bind?
Freeradius experts, We just installed freeradius 2.05 on a Centos 5 system. We got PEAP working rather quickly against our ldap server against LM/NT passwords. We would also like to allow clients using Securew2 supplicants configured for TTLS -PAP connections against (crypt and SSHA) passwords stored in our ldap database. I presume we need to do an ldap bind? How do I configure TTLS-pap requests to do an ldap bind for authorization/authentication without breaking PEAP in 2.05? which 2.05 config file(s) will handle this directly? Note: In the old 1.x configs, I used to use the following authorize and authentication configs show below to allow secureW2 users configured with TTLS-pap to work: authorize { preprocess chap mschap suffix eap ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } Tim Tyler Network Engineer - Beloit College tyler@beloit.edu
Tim Tyler wrote:
Freeradius experts, We just installed freeradius 2.05 on a Centos 5 system. We got PEAP working rather quickly against our ldap server against LM/NT passwords. We would also like to allow clients using Securew2 supplicants configured for TTLS -PAP connections against (crypt and SSHA) passwords stored in our ldap database.
That shouldn't be hard.
I presume we need to do an ldap bind?
I would suggest not. LDAP bind is a hack. LDAP is a *database*. Use it as a *database*.
How do I configure TTLS-pap requests to do an ldap bind for authorization/authentication without breaking PEAP in 2.05? which 2.05 config file(s) will handle this directly?
Configure the LDAP module to pull the passwords from LDAP, and add them into the request. This is, in fact, in the default config.
Note: In the old 1.x configs, I used to use the following authorize and authentication configs show below to allow secureW2 users configured with TTLS-pap to work: ...
In 2.0, the virtual servers make your life easier. A LOT easier. See raddb/inner-tunnel, and references to "inner-tunnel" in raddb/eap.conf. There's even a sample config for testing the inner tunnel portion without doing EAP... Alan DeKok.
We just installed freeradius 2.05 on a Centos 5 system. We got PEAP working rather quickly against our ldap server against LM/NT passwords. We would also like to allow clients using Securew2 supplicants configured for TTLS -PAP connections against (crypt and SSHA) passwords stored in our ldap database.
You have done it. If PEAP works, so will EAP-TTLS/PAP. Ivan Kalik Kalik Informatika ISP
Ivan, Alan, We now have peap and ttls-pap working. It turns out you were both right. What tricked us for a long period of time is that we had to comment out unix because our testing server had the ldap users on it for other testing purposes. The unix module was thwarting the ldap module for ttls-pap. If this had not been the case, we probably would have had ttls - pap working as fast as peap. In our live environment, we don't have end users on the same server so this normally wouldn't have been an issue. Commenting out unix allowed ttls-pap to work properly. Thanks! Tim At 12:56 PM 6/11/2008, Ivan Kalik wrote:
We just installed freeradius 2.05 on a Centos 5 system. We got PEAP working rather quickly against our ldap server against LM/NT passwords. We would also like to allow clients using Securew2 supplicants configured for TTLS -PAP connections against (crypt and SSHA) passwords stored in our ldap database.
You have done it. If PEAP works, so will EAP-TTLS/PAP.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim Tyler Network Engineer - Beloit College tyler@beloit.edu
participants (3)
-
Alan DeKok -
Ivan Kalik -
Tim Tyler