I'm trying to configure Freeradius to use LDAP (which is working), but I need to mix PAP and CHAP. I have a wireless web-auth that uses PAP and is sending the cleartext password (tunneled via TLS) to the LDAP database that contains the encrypted (SSHA) user passwords. I also have switches that only do CHAP but for those, I'm only going to do MAC-auth so I've set up a separate database (same LDAP server, different basedn) that contains cleartext passwords (the MAC address) for each MAC that is authorized for the switch. I know it's not the best access control, but better then none.

I've set up 4 ldap modules, two different basedn's on two redundant servers.

This appears to work so far, but am I missing something here that's going to cause problems down the line???

Here are the authorize and authenticate sections of default, I haven't removed mschap, suffix, eap, unix or files, but none of them _should_ be used.:

authorize {
        preprocess
        auth_log
        chap
        mschap
        suffix
        eap {
                ok = return
        }
        unix
        files
        redundant-load-balance {
                ldap-server1-radius
                ldap-server2-radius
        }
        redundant-load-balance {
                ldap-server1
                ldap-server2
        }
        expiration
        logintime
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        Auth-Type LDAP {
            redundant-load-balance {
                ldap-server1
                ldap-server2
            }
        }
        eap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to