Comments below. --- Alan DeKok <[EMAIL PROTECTED]> wrote:
> Laker Netman <[EMAIL PROTECTED]> wrote: > > First: We do not allow anonymous binding to our AD > > LDAP. So, for testing to date, I have used > > "Administrator" and the associated password in the > > config file. Obviously this is less than ideal :) > > What is the best or better alternative? Allowing > > anonymous bind? Creating a bind-only "user" for > auth > > purposes? > > The server needs to bind to AD only to get group > information. If > you can configure a user on AD that is permitted > only to do that, that > would be the best thing. > Not sure I understand. To my knowledge, currently our AD doesn't contain any info that would differentiate a "wireless" user from one who is "wired". Based on the authenticating NAS (which is identifiable as wired vs wireless at least to RADIUS) how could I tie that to an AD group? If this is possible, where is the FAQ describing the setup process? > > Am I correct that the NAS passes the username and > > password to FR in cleartext? > > Not for wireless. So, when I see cleartext passwords (provided to RADIUS via NAS auth dialogs) in a "radiusd -X" output to the terminal it's due to the fact that they have already been decoded via the symmetric NAS-RADIUS key? > > > Is there any method to send/receive the password > > between FR and AD encrypted? > > SSL. A URL or path to the RADIUS doc supporting this would be appreciated. > > > Lastly, as I mentioned earlier, I have googled, > read, > > googled, read, a *lot* of info. Is there a > CONCISE > > site anywhere on the web the defines everything > needed > > without leaving out the *one* critical piece that > > actually makes it work? ;-) > > I'm not sure what you mean by that. The HOWTO's > describe how to > configure wireless with FreeRADIUS, and LDAP. > Follow the instructions > and they will work. > > Do you know what you want from wireless and AD? > It sounds like the > "one critical" piece you're looking for is something > to solve a > problem you haven't articulated. > > Alan DeKok. > My statement was intentionally flippant, though not meant to be disrepectfully so. It is the culmination of much frustration at finding lots of tangible data to make a functional system, yet, all of the pages tend to end with the cliche (paraphrasing now) "and some other settings we all know it needs..." We who? I'm not stupid, but I'm not perfect. THAT'S why I'm seeking help (not judgement) from the list. If there are useful docs I haven't found, tell me. If I don't fully understand what I'm reading and ask for help, either help me or don't. Please refrain from the "holier than thou" routine. I have read the majority of your posts since 2002 Mr. DeKok. Clearly, you are quite knowledgable regarding RADIUS. However, your disdain for the mortals who wish to use a tool, rather than wonder at its mystical intricacies is evident on repeated occasions in your responses. So not everyone is as clever as you... insult or help, which produces a better outcome? Laker > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html