FR + EAP-GTC + LDAP (SHA1)
gabriel_skupien
gabriel_skupien at o2.pl
Wed May 20 13:21:04 CEST 2015
Hi,
The aim and assumptions:
-configure FR to authenticate users against OpenLDAP server,
-FR would use EAP method,
-passwords in LDAP are stored as SHA1,
-according to http://deployingradius.com/documents/protocols/compatibility.html the only way to deal with LDAP auth is to use PAP or EAP-GTC. Since client forces EAP method we have no choice than EAP-GTC. Is that correct?
-clients are EAP-GTC capable,
-FR v2.2.6.
After some hours in my lab I finished with the following FR config:
1) in eap.conf:
-in eap general settings I set default_eap_type to "gtc"
-in gtc section I put "auth_type = LDAP".
2) in sites-enabled/default:
-authorize section - not touched,
-authentication section - uncomment "Auth-Type LDAP { ldap }",
And it is working fine! Now, the questions:
a) I am afraid about your comments in gtc section. It stands that:
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
Can I use eap-gtc "alone" without PEAP/TTLS? Secure tunnel is delivered via IPsec connection so I do not bother about security in that case. What is your opinion?
b) How would you configure FR to meet mentioned above requirements?
Gabriel
More information about the Freeradius-Users
mailing list