802.1x, EAP and LDAP
Alan DeKok
aland at deployingradius.com
Tue Mar 4 07:33:09 CET 2008
Mike Richardson wrote:
> I've been making changes for 8 hours a day for over a week so it might
> differ from the original.
Which is a bit of a problem in and of itself.
> However I been back to the defaults twice. As of
> tomorrow I'll reinstall and try it again. From what you're saying I believe
> I need to put in the LDAP config for our eDirectory and uncomment any LDAP
> authorisation/authentication entries. Anything else?
Not for LDAP.
> Then I can use radtest to test the authentication?
Yes.
> How does the config know to use PAP rather than CHAP/MSCHAP?
Because all of the experience of the developers working for years with
RADIUS is distilled into the configuration files.
> I've been through every config guide I can find on the net, several times.
If it takes more than 10 minutes to get FreeRADIUS authenticating to
LDAP, ask a question on the list. Honestly. It's *so* much better to
get an answer on the list than to fight for a week...
> It's only today though that I found a site which explained the limitations
> of the PAP/CHAP/MSCHAP with respect to password encryptions.
My deployingradius.com site? It has a number of resources.
> Most guides
> assume MSCHAP, for use with PEAP, and most use flat file user
> authentication. Not many touch on LDAP and only Novell have eDirectory based
> documentation.
Of course. Only Novell understands how eDirectory works.
For LDAP, buy the O'Reilly OpenLDAP book. It has a good section on
getting OpenLDAP && FreeRADIUS to talk to each other. It's very quick...
Alan DeKok.
More information about the Freeradius-Users
mailing list