FR1.0.5: EAP + LDAP + crypted passwds ??
aab+freeradius at drexel.edu
aab+freeradius at drexel.edu
Mon Nov 14 16:45:27 CET 2005
Ok, I skimmed through the mailing list notes last night (mostly via
Google) and found a number of notes that said it was only possible
to do EAP authentications against an LDAP server if the server has
either cleartext passwords or NT hashes in it. Some of those notes
were very old and the ldap_howto.txt doc is also rather old with no
reference of 802.1x, so I'm hoping to get an updated answer.
My LDAP choices are the AD domain controllers and our iPlanet LDAP
servers - the iPlanet servers have crypted passwords and no NT hash
info, so I believe they're out of this(?) The AD LDAP might have a
way for me to make use of PEAP or TTLS, but I'm running into a bit
of trouble with the user binding at this time.
I'm back to reading, but figured I'd include my AD/LDAP config just
in case someone sees something blindingly wrong with it.
andrew.
:radiusd.conf:
ldap {
server = "domaincon.test.drexel.edu"
basedn = "dc=drexel,dc=edu"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
:eap.conf:
tls {
# private_key_password = whatever
private_key_file = ${raddbdir}/certs/keycert.pem
certificate_file = ${raddbdir}/certs/keycert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
copy_request_to_tunnel = no
use_tunneled_reply = no
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
More information about the Freeradius-Users
mailing list