Active Directory AUTHENTICATION with LDAP AUTHORIZATION

Brian Julin BJulin at clarku.edu
Wed Aug 16 21:35:57 CEST 2017


Tom Yard <tomyyard at gmail.com> wrote:

> 2) I can't understand this comment from you: "but why are you running ldap
> in the outer phase?" Can you explain to me in more detail please ???

The inner tunnel server happens inside the TLS crypto tunnel.
You should do LDAP there.  User-Name in the outer (default) server
is untrustworthy data which should only be used for routing requests
around relays.

For example, people can lie about their usernames, putting one
username in the outer envelope and a different username inside
the TLS tunnel.  Only trust the one that you get in inner-tunnel.

To be more exact, you can trust most fields in the outer
server ("default")... anything that your NAS adds to the RADIUS
packet can be trusted, assuming your backbone is secure of course.
But the NAS just passes User-Name along untouched.

If you are just using LDAP to accept/reject then this is easy.  If
you are using it to choose VLANs, then you have to leak the
VLAN choice out of the inner tunnel server to the outer server,
so it can tell the NAS in cleartext.



More information about the Freeradius-Users mailing list