Manage client in LDAP...
Alan DeKok
aland at deployingradius.com
Mon Oct 11 15:05:39 CEST 2021
On Oct 10, 2021, at 12:15 PM, Marco Gaiarin <gaio at lilliput.linux.it> wrote:
> I'm not an expert on freeradius, but at work i manage successfully a setup
> with freeradius binded to an AD domain, successfully autheticate wireless
> clients with MSCHAPv2.
That's good.
> At home i need to extend my wireless coverage (for now, i use an hostapd and
> a wireless interface in my server), and so i've thinked about using LDAP as
> a source for auth data, using as AP some OpenWRT/LEDE routers.
> Yes, i can use WPA/WPA2 personal, but i want to experiment and continue to
> assign different credential for different MAC addess. ;)
OK.
> I've found the basic setup info on:
>
> https://wiki.freeradius.org/modules/Rlm_ldap
>
> and some other info on how add clients to the LDAP on:
>
> https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html#idm2599
I think you mean adding user accounts to LDAP. But OK...
> Also i've found some forum/blog pages around, but all seems to be about
> freeradius 2, and does not provide clues on why (at least to me).
People write docs, and then don't update them for 10 years. :(
> For example, i suppose i have to use WPA2-Enterprise with EAP-TTLS, but i've
> not found a place that clarify if the password in LDAP have to be 'in
> clear', or hashed, and how hashed.
It depends...
> Someone have some info, or a good link? Thanks.
http://deployingradius.com/documents/protocols/compatibility.html
What's safest is to put salted / encrypted passwords into the database, and then use TTLS+PAP. But not everything supports this.
Alan DeKok.
More information about the Freeradius-Users
mailing list