Freeradius + EAP-TLS + LDAP

Phil Mayers p.mayers at imperial.ac.uk
Tue Apr 19 17:18:59 CEST 2011


On 19/04/11 13:55, Alexandros Gougousoudis wrote:
> Hi,
>
> with my FR 1.x installation I'am authenticating via EAP-TLS Computers
> against my Switches. User are authenticated with PEAP, all are held in
> the users-textfile in $RADDB/users

EAP-TLS and PEAP are different.

Which do you mean?

>
> But with rising number of PCs and Users the edit of the users file is a
> bit uncomfortable. I want to upgrade everything to FR 2.1 on my
> Debian-Squeeze-Box, using LDAP, because I have already all Users and PCs
> in my OpenLDAP (for the use of Samba).

Don't do both at once.

First upgrade to 2.1

Then implement LDAP.

>
> I'am a bit unsure about the doc, which says no EAP-TLS while using LDAP
> and no crypted passwords. If I read here, I have the impression that
> this is something what some people already do.

EAP-TLS doesn't use passwords. It uses client certificates.

PEAP requires plaintext or NT passwords.

Which do you mean?

>
> I like to authenticate PCs with EAP-TLS, which are in the LDAP List by
> name, there is no need to extract an cert from the LDAP-Tree. Just check
> the name and if the cert matches to the server-cert the access is
> granted. As I already do now.


Can you show us an example of what you have now? One of the entries from 
your "users" file?

>
> The users should be checked by uid and the password should be checked,
> but I have of course no cleartext-password in my LDAP, they are all
> crypt or MD5 (depends on tree).

EAP-TLS doesn't use passwords.

>
> Is this possible or not?

Your query doesn't make sense.



More information about the Freeradius-Users mailing list