Mack, Take a look at the following URL:
http://3w.denobula.com:50000/EAPTLS.pdf It may be a little dated but all of the info is still relevent... one thing to take notice of is there is NO user password exchanged as EAP/TLS does not use a user's password for authentication - that chore is handled by the fact the supplicant contains a VALID user certificate the server recognizes. I think the above is what Alan is trying to convey to you - you can not use EAP/TLS and LDAP together as there is NO user password exchanged between the supplicant and Freeradius (or any other radius server) in that mode. If you are looking to use LDAP and a very secure method for the link between the client and the AP you will have to use a different method (PEAP or EAP/TTLS come to mind)... You may want to check out other supplicant software (if you are thinking of using the EAP/TTLS method you may want to check out the Odyssey Supplicant software from Funk Software (they are the one's who came up with TTLS and are working on a RFC to that effect). I may not have stated all of the above totally correctly but you should get the basic meaning.... [grin]... There are several RFC's that come with the freeradius package - I would strongly suggest reading them as they are the basis for all the different protocols and authentication methods Alan and company have based the Freeradius software against ( I think ).... I hope the above information is helpful and taken in the manner in which it was meant (to be informative and helpful)... gm... ---------- Original Message ---------------------------------- From: "Mack" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Jun 2004 12:02:33 -0400 >Alan, > >At your request, I'll try to reformat this so that it is presented as a >problem/challenge >rather than a "why doesn't my solution work" post: > >Problem: >My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and >the radius server if you want to use the radius server as the "authentication" >server. >My understanding is that 802.1x requires EAP-something. I chose EAP-TLS >because my client is stock XP and my understanding is that EAP-TLS is my only >option with that client. > >My boss asked me if it was possible to authenticate our wireless users against >Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. >The only reason I'm using 802.1x/EAP is because the AP requires it. > >I have successfully implemented EAP-TLS authentication between the client, AP, >and freeradius. Now I am attempting to "add" LDAP authentication, but have not >been successful. > >I can provide any configs/logs if needed. > >Solution: >None so far. Anyone have any suggestions/comments? What would ya'll do in my >position? > >thanks, >mack > > > >On 21 Jun 2004 at 23:52, Alan DeKok wrote: > >> "Mack" <[EMAIL PROTECTED]> wrote: >> > My AP requires that I enable 802.1x in order to use RADIUS >> > authentication. So, I figured I'd use EAP-TLS. >> >> Are you picking it at random, or are youi looking at the features it >> offers, and using your requirements to decide on a solution? >> >> > I'm just testing now...using an XP client, so I chose to use >> > EAP-TLS. I want to use LDAP because that's where our userbase is >> > stored (Novell eDirectory). The idea is to authenticate users via >> > LDAP. >> >> I thought I had been pretty clear in my response: EAP-TLS and LDAP >> are mutually incompatible. Stop trying to get them to work togerther. >> >> > I'm only using EAP-TLS because the AP won't let me use RADIUS >> > otherwise. Of course, I'm such a newbie that I'm probably getting >> > it all wrong. That's where I was hoping the list would help. >> >> You should ask about how to solve a problem, rather than asking why >> the solution you chose didn't work. >> >> > If you were given my task, how would you go about implementing this? >> >> I told you. Go back and read my message. >> >> If you could describe a problem, I might be able to come up with an >> alternate solution. >> >> Alan DeKok. >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> -- >> This message has been scanned for viruses and >> dangerous content by the CSU Email Gateway, and is >> believed to be clean. >> > > > >-- >This message has been scanned for viruses and >dangerous content by the CSU Email Gateway, and is >believed to be clean. > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >--- >[This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > ________________________________________________________________ Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
