Freeradius + EAP-TLS + LDAP
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 19 17:18:59 CEST 2011
On 19/04/11 13:55, Alexandros Gougousoudis wrote:
> Hi,
>
> with my FR 1.x installation I'am authenticating via EAP-TLS Computers
> against my Switches. User are authenticated with PEAP, all are held in
> the users-textfile in $RADDB/users
EAP-TLS and PEAP are different.
Which do you mean?
>
> But with rising number of PCs and Users the edit of the users file is a
> bit uncomfortable. I want to upgrade everything to FR 2.1 on my
> Debian-Squeeze-Box, using LDAP, because I have already all Users and PCs
> in my OpenLDAP (for the use of Samba).
Don't do both at once.
First upgrade to 2.1
Then implement LDAP.
>
> I'am a bit unsure about the doc, which says no EAP-TLS while using LDAP
> and no crypted passwords. If I read here, I have the impression that
> this is something what some people already do.
EAP-TLS doesn't use passwords. It uses client certificates.
PEAP requires plaintext or NT passwords.
Which do you mean?
>
> I like to authenticate PCs with EAP-TLS, which are in the LDAP List by
> name, there is no need to extract an cert from the LDAP-Tree. Just check
> the name and if the cert matches to the server-cert the access is
> granted. As I already do now.
Can you show us an example of what you have now? One of the entries from
your "users" file?
>
> The users should be checked by uid and the password should be checked,
> but I have of course no cleartext-password in my LDAP, they are all
> crypt or MD5 (depends on tree).
EAP-TLS doesn't use passwords.
>
> Is this possible or not?
Your query doesn't make sense.
More information about the Freeradius-Users
mailing list