authentication question

Alan DeKok aland at deployingradius.com
Fri Mar 14 10:42:00 CET 2008


Emre Ersin wrote:
> I am trying to authenticate our wired Windows users by using rlm_perl module
> over secured IMAP.

  That won't work.

http://deployingradius.com/documents/protocols/oracles.html

  IMAP fits the same column as "LDAP bind as user".

> When I give radtest command with a user-name and
> user-password it accepts;

  Because you are supplying a clear-text password.  802.1x
authentication does not do that.

> But xp supplicants (naturally) doesn't send user-passwords while using
> eap-md5. And I really don't want to create thousands of client certificates.
> Which protocol do I have to use or...
> 
> Is it possible? Is there a way to authenticate winxp (and vista (and also
> Macos users)) users without installing any client program? 

  Yes.  Use PEAP.  It's built into Windows.  For wired authentication,
EAP-MD5 should work, too.

> Supplicant (winxp) ---- NAS (hp2626) -------- WAN
>                           |
>                           |
>                           RS -- rlm_perl ----- IMAP(s) 
>                                              or POP3(s) 
>                                               servers 
>                                            (more than one) 

  Why?  The IMAP/POP servers have a user database.  Use that to
authenticate 802.1x users.  Using rlm_perl && IMAP/POP is horrible.
Plus, it won't work.

  Alan DeKok.



More information about the Freeradius-Users mailing list