On 01/15/2013 11:09 AM, Simo Sorce wrote: > On Tue, 2013-01-15 at 16:39 +0100, Han Boetes wrote: >> Hi, >> >> >> Since most of our cisco images do not support encryption the apparent >> way to go is using radius which is supported by most cisco devices. >> >> >> What is the current status for making this wonderful idea work in the >> real world. >> > We haven;t resumed work to integrate radius as a full feature component > of FreeIPA yet, sorry. > > Simo. > But this does not mean that you can't use freeradius with LDAP, Kerberos or PAM plugin. You do not need to have integrated radius to get auth from IPA. http://wiki.freeradius.org/modules/Rlm_ldap http://wiki.freeradius.org/modules/Rlm_krb5 http://wiki.freeradius.org/modules/Rlm_pam
Just configure freeradius to use one of those authentication methods and you can use it with freeIPA. http://deployingradius.com/documents/protocols/oracles.html We recommend to configure EAP-TTLS if your infrustucture supports it and use PAP as an inner method. If this is not possible you would have to use PAP so you need to use pretty long secrets (i would say 20 bytes at least). Keep in mind that not tunneled PAP is based on MD5 which would be a problem if your environment needs to comply with different compliance acts; tunneling would be a must. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users