wireless+freeradius+AD

Alan DeKok aland at ox.org
Mon Nov 21 05:02:49 CET 2005 

Laker Netman <laker_netman at yahoo.com> wrote:
> Not sure I understand.  To my knowledge, currently our
> AD doesn't contain any info that would differentiate a
> "wireless" user from one who is "wired". Based on the
> authenticating NAS (which is identifiable as wired vs
> wireless at least to RADIUS) how could I tie that to
> an AD group?

  You're completely down the wrong path.  AD is a database.  It's a
directory.  Using anonymous bind, there is very little data you can
get from it.

  Stop talking about solutions, as you don't know how the technology
works.  Instead, talk about your goals, independent of the underlying
technology.

> So, when I see cleartext passwords (provided to RADIUS
> via NAS auth dialogs) in a "radiusd -X" output to the
> terminal it's due to the fact that they have already
> been decoded via the symmetric NAS-RADIUS key?

  Yes.  But you don't see that for wireless.

> > > Is there any method to send/receive the password
> > > between FR and AD encrypted?
> > 
> >   SSL.
> 
> A URL or path to the RADIUS doc supporting this would
> be appreciated.

  raddb/radiusd.conf.  See the "tls" comments in the ldap
configuration.

> My statement was intentionally flippant, though not
> meant to be disrepectfully so. It is the culmination
> of much frustration at finding lots of tangible data
> to make a functional system, yet, all of the pages
> tend to end with the cliche (paraphrasing now) "and
> some other settings we all know it needs..." We who?

  Please point to FreeRADIUS documentation that says that.  I've never
seen it.

  If you're talking about non-freeradius web sites, go complain to
them.

> I'm not stupid, but I'm not perfect. THAT'S why I'm
> seeking help (not judgement) from the list.

  Let me be perfectly clear: No one will be able to help you if you
cannot describe what you want in a manner they understand.  So far,
you've made it clear you're confused about the terminology, and you
haven't articulated what you want to do.

>  If there are useful docs I haven't found, tell me. If I don't fully
> understand what I'm reading and ask for help, either help me or
> don't.

  Part of helping you is asking you for information you haven't
supplied.  That information is needed to help you.  If your response
is to get upset, then everyone can only conclude you don't want to
solve your problem.

> I have read the majority of your posts since 2002 Mr.
> DeKok. Clearly, you are quite knowledgable regarding
> RADIUS. However, your disdain for the mortals who wish
> to use a tool, rather than wonder at its mystical
> intricacies is evident on repeated occasions in your
> responses. So not everyone is as clever as you...
> insult or help, which produces a better outcome?

  For people who get angry when I ask for more information, insults.

  For people who answer the questions I ask, help.  And then they
solve their problem.

  You choose which group you fall into.  I don't have time to care
what you think about me.

  Alan DeKok.

More information about the Freeradius-Users mailing list