Default radiusd.conf and Auth-Type LDAP comment
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Thu Sep 21 18:45:38 CEST 2006
Hi,
This is just a comment on the default radiusd.conf provided information.
In the authenticate section of the default radiusd.conf I can read
about "Auth-Type LDAP":
<quote>
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
</quote>
While usually true, this assumption is a little confusing sometimes.
Indeed, when EAP-TTLS uses PAP (not an EAP protocol I know) as its
inside authentication protocol, a cleartext password is provided to
Freeradius which is then able to use a simple ldap bind exchange to
authenticate the user.
Could we replace with something like that
<quote>
# Note that this means "check plain-text password against
# the ldap database", which means that most EAP types won't work
# as they do not supply a plain-text password (unless you use a
# composite EAP scheme with and inner cleartext-enabled protocol
# such as EAP-TTLS/PAP)
</quote>
But this is a little tricky...
Or more simply:
<quote>
# Note that this means "check plain-text password against
# the ldap database", which means that most EAP types won't work
# as they do not supply a plain-text password
# (an exception beeing EAP-TTLS with inner PAP authentication)
</quote>
The second one could be less confusing for people trying to setup
EAP-TTLS/PAP on ldap directories but of course this is not a big deal...
Thibault
More information about the Freeradius-Users
mailing list