eDirectory Authentication

Alan DeKok aland at deployingradius.com
Thu Oct 11 15:50:38 CEST 2007

Brad Lachel wrote:
> We are currently using our RADIUS server to do one thing.  It is
> authenticating wireless users via Mac address through access points. 
> Very clean, very simple.  We would like to increase the security a bit
> by having the users authenticate against eDirectory as well.

  RADIUS doesn't work like that.  It authenticates a user session... once.

  To put it another way, read your NAS documentation to see how to
configure it so that it authenticates both MAC and user through RADIUS.
 If it doesn't say it's possible, then it's not possible.

>  If a user
> tries to get on the network, his MAC is passed to the RADIUS server.  If
> the MAC is validated, the request is passed to the Novell Server, the
> user is asked to enter his password,

  How?  Where does this happen?  What portion of the GUI shows this?
How does the access point tell the users GUI to ask for a password?

> and then he is allowed in.  I have
> setup my config files according to several eDirectory/FreeRADIUS FAQ
> articles that I have found, but I am still having a few issues.
> 1:  I am never asked for a password

  Of course.

  What *is* possible is to have the AP do MAC authentication, and then
put the user in a captive portal.  Any attempt to do web surfing then
gets redirected to a login page.  This is called a "captive portal", and
requires a lot of additional software.  See "chillispot" for samples.

> 2:  rlm_ldap:  When I attempt to get access, I get an error message
> "could not start TLS operations error"

  Maybe the OpenLDAP people know what that means.  The error message is
produces from the OpenLDAP client library, not from FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list