I'm trying to configure Freeradius to use LDAP (which is working), but I
need to mix PAP and CHAP. I have a wireless web-auth that uses PAP and
is sending the cleartext password (tunneled via TLS) to the LDAP
database that contains the encrypted (SSHA) user passwords. I also have
switches that only do CHAP but for those, I'm only going to do MAC-auth
so I've set up a separate database (same LDAP server, different basedn)
that contains cleartext passwords (the MAC address) for each MAC that is
authorized for the switch. I know it's not the best access control, but
better then none.
I've set up 4 ldap modules, two different basedn's on two redundant servers.
This appears to work so far, but am I missing something here that's
going to cause problems down the line???
Here are the authorize and authenticate sections of default, I haven't
removed mschap, suffix, eap, unix or files, but none of them _should_ be
used.:
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
unix
files
redundant-load-balance {
ldap-server1-radius
ldap-server2-radius
}
redundant-load-balance {
ldap-server1
ldap-server2
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
redundant-load-balance {
ldap-server1
ldap-server2
}
}
eap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html