Am I going to cause a problem with this config setup?

Tom Leach leach at coas.oregonstate.edu
Tue Jun 22 17:55:32 CEST 2010


I'm trying to configure Freeradius to use LDAP (which is working), but I 
need to mix PAP and CHAP.  I have a wireless web-auth that uses PAP and 
is sending the cleartext password (tunneled via TLS) to the LDAP 
database that contains the encrypted (SSHA) user passwords.  I also have 
switches that only do CHAP but for those, I'm only going to do MAC-auth 
so I've set up a separate database (same LDAP server, different basedn) 
that contains cleartext passwords (the MAC address) for each MAC that is 
authorized for the switch.  I know it's not the best access control, but 
better then none.

I've set up 4 ldap modules, two different basedn's on two redundant servers.

This appears to work so far, but am I missing something here that's 
going to cause problems down the line???

Here are the authorize and authenticate sections of default, I haven't 
removed mschap, suffix, eap, unix or files, but none of them _should_ be 
used.:

authorize {
         preprocess
         auth_log
         chap
         mschap
         suffix
         eap {
                 ok = return
         }
         unix
         files
         redundant-load-balance {
                 ldap-server1-radius
                 ldap-server2-radius
         }
         redundant-load-balance {
                 ldap-server1
                 ldap-server2
         }
         expiration
         logintime
         pap
}
authenticate {
         Auth-Type PAP {
                 pap
         }
         Auth-Type CHAP {
                 chap
         }
         Auth-Type MS-CHAP {
                 mschap
         }
         unix
         Auth-Type LDAP {
             redundant-load-balance {
                 ldap-server1
                 ldap-server2
             }
         }
         eap
}



More information about the Freeradius-Users mailing list