Is LDAP + EAP Possible For Me?
I've been searching for a while now, and I can't seem to find a good answer. I have an ldap server and I would like to authenticate my users wirelessly without generating individual client certs for every device. I heard that PEAP doesn't require the manual creation of client certs, but I can't use that with ldap because I can't pass it a cleartext password, right? What other options do I have to accomplish what I'm after?
On Tue, Apr 15, 2014 at 7:41 PM, Ethan Chrisawn <echrisawn@ecrsoft.com>wrote:
I've been searching for a while now, and I can't seem to find a good answer. I have an ldap server and I would like to authenticate my users wirelessly without generating individual client certs for every device.
I heard that PEAP doesn't require the manual creation of client certs, but I can't use that with ldap because I can't pass it a cleartext password, right? What other options do I have to accomplish what I'm after?
For starters: (1) what kind of LDAP server are you using? Can you get plain-text or NT-hash passwords from it? Is it Active Directory? (2) what kind of clients are you using? e.g. all windows 8? mix of clients? (3) do you have third-party WPA supplicant for your clients (e.g. odyssey access client, or something similar)? Depending on the answer for those questions, it might be possible. For example, if your clients are all windows 8 or above, then you should be able to use TTLS-PAP (which passes cleartext password in the inner tunnel). -- Fajar
Ethan Chrisawn wrote:
I've been searching for a while now, and I can't seem to find a good answer. I have an ldap server and I would like to authenticate my users wirelessly without generating individual client certs for every device.
You're looking for the wrong thing. LDAP is a database which stores passwords (among other things). EAP uses passwords. EAP doesn't use LDAP.
I heard that PEAP doesn't require the manual creation of client certs, but I can't use that with ldap because I can't pass it a cleartext password, right? What other options do I have to accomplish what I'm after?
http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
On Tue, Apr 15, 2014 at 08:41:51AM -0400, Ethan Chrisawn wrote:
I've been searching for a while now, and I can't seem to find a good answer. I have an ldap server and I would like to authenticate my users wirelessly without generating individual client certs for every device.
I heard that PEAP doesn't require the manual creation of client certs, but I can't use that with ldap because I can't pass it a cleartext password, right? What other options do I have to accomplish what I'm after?
Will your LDAP server give FreeRADIUS the cleartext password, or the NTLM password? If yes, then you can use PEAP/MSCHAPv2 or TTLS/MSCHAPv2. If no, then you're probably limited to TTLS/PAP. It depends on what your LDAP server will give access to: http://deployingradius.com/documents/protocols/compatibility.html If you're running AD, then you'll have to join FreeRADIUS to the domain and use ntlm_auth. If your LDAP server won't give access to any password, and you want to auth by binding to it, then TTLS/PAP is your only option. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Alan DeKok -
Ethan Chrisawn -
Fajar A. Nugraha -
Matthew Newton