PAP authentication to Active Directory
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jul 13 19:25:03 CEST 2011
On 07/13/2011 06:04 PM, Axford M.F. wrote:
> Hi
>
> I'm currently setting up a radius server to authenticate EAP based requests against Active Directory.
>
> Using Alan Dekok's guide I've got this authenticating mschap based EAP requests successfully.
>
> I also want to authenticate ttls/pap requests and I've found two ways to do this that seem to work.
>
> Method 1 is based on whats in http://freeradius.1045715.n5.nabble.com/EAP-TTLS-w-PAP-using-ntlm-auth-td2773260.html
>
> Method 2 is to use LDAP for pap authentications.
>
> All things being equal my preference is to use Method 1 as it keeps all authentications the same, however the:
> if (!control:Auth-Type) {
> update control {
> Auth-Type = ntlm_auth_pap
> }
> }
> In the inner-tunnel/authorize section seems a bit like a hack. Is there a better way to do this ?
We do this:
server inner-tunnel {
authorize {
...
mschap
eap
pap
}
authenticate {
Auth-Type PAP {
ntlm_auth_pap
}
...
}
}
...which is, in it's own way, a hack (run the "pap" module to set the
Auth-Type, run a different module to service it). Your solution isn't so
bad; the "pap" module itself basically only does this internally:
if (!control:Auth-Type && User-Password) {
update control {
Auth-Type := PAP
}
}
>
> Is either method particularly better than the other ?
There might be circumstances in which LDAP is better; but knowing how
the protocols works and the failure modes of the two modules in
FreeRADIUS, I doubt it.
It also means you don't need a username to bind to LDAP for you; which
is just another bit of config to get wrong, out of data, expired
password, or compromised...
If you don't need LDAP for other reasons (e.g. groups) then don't bother
with it.
More information about the Freeradius-Users
mailing list