EAP-ttls tunnel inner outer authentication credential management
Is there a way to manage in a different way the inner and the outer authentication credential in a EAP-ttls + PAP tunnel? for example authenticate the outter credential against a file and the inner against ldap dir. thanks arjuna -- View this message in context: http://www.nabble.com/EAP-ttls-tunnel-inner-outer-authentication-credential-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
theSnail wrote:
Is there a way to manage in a different way the inner and the outer authentication credential in a EAP-ttls + PAP tunnel?
for example authenticate the outter credential against a file and the inner against ldap dir.
thanks arjuna
Yes, with FreeRADIUS version 2, authentication requests are sent to an 'inner' virtual server, place your ldap module in the authorise stanza of that section, and your file module in the authorise stanza of the outer server. With V1 it's much harder.
Arran Cudbard-Bell wrote:
theSnail wrote:
Is there a way to manage in a different way the inner and the outer authentication credential in a EAP-ttls + PAP tunnel?
for example authenticate the outter credential against a file and the inner against ldap dir.
thanks arjuna
Yes, with FreeRADIUS version 2, authentication requests are sent to an 'inner' virtual server, place your ldap module in the authorise stanza of that section, and your file module in the authorise stanza of the outer server.
With V1 it's much harder. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i was refering to V1 :( , harder but not impossible? -- View this message in context: http://www.nabble.com/EAP-ttls-tunnel-inner-outer-authentication-credential-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
theSnail wrote:
Arran Cudbard-Bell wrote:
theSnail wrote:
Is there a way to manage in a different way the inner and the outer authentication credential in a EAP-ttls + PAP tunnel?
for example authenticate the outter credential against a file and the inner against ldap dir.
thanks arjuna Yes, with FreeRADIUS version 2, authentication requests are sent to an 'inner' virtual server, place your ldap module in the authorise stanza of that section, and your file module in the authorise stanza of the outer server.
With V1 it's much harder. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i was refering to V1 :( , harder but not impossible?
No conditional language in v1, so you can't really select different modules to be used at different points. Why do you want to lock down the outer identity anyway ? Is it for accounting purposes or proxying or ... ? Arran
participants (2)
-
Arran Cudbard-Bell -
theSnail