PEAP/MS-CHAPv2 for some, Kerberos (or PAM) for others...
sth
sth at noiseplant.com
Mon Feb 9 23:05:00 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi folks,
First off, thanks to Alan and the "Configuring Authentication against
Active Directory" HOWTO[1] for assistance in getting 802.1X
authenticating against AD for WPA2 Enterprise. I currently have
PEAP/MS-CHAPv2 authenticating against AD, TTLS/PAP against MIT Kerberos
5, and PEAP/MS-CHAPv2 against krb5 via KCRAP[2], thanks to a colleague
who was already hacking on KCRAP for another project. (My supervisor
wanted options...) Separately, they each work very smoothly, and
PEAP/MS-CHAPv2/KCRAP will be going to production shortly.
It would seem there are potentially multiple ways to execute my next
task, and I wanted to ping the group for ideas on the most elegant way
to do it. It seems like it could get complicated pretty quickly, and I'd
like to avoid unnecessary config bloat. If I have to run two RADIUS
servers to maintain sanity, that's fine.
I'd like to integrate the function of an older RADIUS server (FR 1.0.1)
into the new one (FR 2.1.3), which handles 802.1X. The old FR box
handles authentication for a VPN concentrator. It has some static users
defined, then defaults to PAM (which, in this context, means krb5). Krb5
works fine on the FR 2.1.3 config if I append:
DEFAULT Auth-Type := Kerberos
to the users file. Doing so breaks all tunneled EAP methods (which
reading leads me to believe is predictable). Using PAM gives similar
results, and I figured it better to use FR's native krb5 support anyway.
I started down the path indicated in a seemingly-similar thread[3] from
February of 2008, but my understanding of FR is still not good enough
that I can parlay those (mostly FR1.x) instructions into a valid FR2.x
config, in spite of Phil Mayers' general comments re: using 2.x's
virtual server functionality.
Are EAP and DEFAULTs mutually-exclusive? If not, what's the most
effective way to approach this? Your thoughts on the matter are
appreciated. I apologize in advance if there's already a wiki page or
thread that deals with this, and accept links to such posts with great
gusto. :-)
Cheers,
- -sth
[1]http://deployingradius.com/documents/configuration/active_directory.html
[2]http://www.spock.org/kcrap
[3]http://www.nabble.com/PEAP-EAP-TTLS-acquires-DEFAULT-reply-attributes-via-outer-identity-td15578550.html
sam hooker|http://www.noiseplant.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmQqIoACgkQX8KByLv3aQ1YxgCgsrheI8q4pzFfHfkMJrHEVd7l
NFQAmwX1Us7zhDQi8MRop1qUapJ5d8I+
=ptp9
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Freeradius-Users
mailing list