802.1x, EAP and LDAP

Mike Richardson doctor at mcc.ac.uk
Tue Mar 4 14:10:34 CET 2008 

On Tue, Mar 04, 2008 at 11:18:49AM +0000, Phil Mayers wrote:
> >How does the PAP module attempt to do the authentication? Does it do an
> >authenticated bind as the user or does it get the password variable and
> >compare it to something stored? 
> 
> The latter.
> 
> Basically rlm_pap takes the User-Password in the request, and compares 
> it against "the correct" password for the user.
> 
> The ldap module is expected to have extracted the password from LDAP 
> (see below).
> 
> There is another mode where PAP requests can be authenticated by 
> rlm_ldap, using simple bind against the LDAP server - that's the
> 
> authenticate {
>  Auth-Type LDAP {
>   ldap
>  }
> }
> 
> ...stuff, but you should avoid doing that if at all possible. In 
> particular it won't support PEAP/MS-CHAP, the only really useful EAP 
> type supported by the windows XP/vista 802.1x supplicants.

The suggestions made so far have been to uncomment this authenticate entry.
Once working should I be looking at commenting it out again and getting EAP
to work without the above bind? 

> I don't know specifically what the NMAS nonsense is, but a glance at the 
> rlm_ldap source code indicates it's a Novell-proprietary LDAP extension 
> which the LDAP client (in this case, FreeRadius) has to call to get at 
> the plaintext password for the user.

Ah, after another google search I've found another Novell article on
freeradius:

https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html

which suggests using 'tls_mode=yes' and the port as 636. I've tried it and
it works - I can authenticate! However this option doesn't appear in the
radiusd.conf - is it deprecated or just not documented?

Seems that eDirectory needs an encrypted session before it'll present the
password in clear text. Makes sense.

I've also tried it with 'start_tls=yes' and port as 389, this also seems to
work. Which is the prefered method? Novell suggest the former but as it
isn't documented...

Thanks,

Mike

-- 
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*

More information about the Freeradius-Users mailing list