On 07/13/2011 06:04 PM, Axford M.F. wrote:
Hi
I'm currently setting up a radius server to authenticate EAP based requests
against Active Directory.
Using Alan Dekok's guide I've got this authenticating mschap based EAP requests
successfully.
I also want to authenticate ttls/pap requests and I've found two ways to do
this that seem to work.
Method 1 is based on whats in
http://freeradius.1045715.n5.nabble.com/EAP-TTLS-w-PAP-using-ntlm-auth-td2773260.html
Method 2 is to use LDAP for pap authentications.
All things being equal my preference is to use Method 1 as it keeps all
authentications the same, however the:
if (!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
In the inner-tunnel/authorize section seems a bit like a hack. Is there a
better way to do this ?
We do this:
server inner-tunnel {
authorize {
...
mschap
eap
pap
}
authenticate {
Auth-Type PAP {
ntlm_auth_pap
}
...
}
}
...which is, in it's own way, a hack (run the "pap" module to set the
Auth-Type, run a different module to service it). Your solution isn't so
bad; the "pap" module itself basically only does this internally:
if (!control:Auth-Type && User-Password) {
update control {
Auth-Type := PAP
}
}
Is either method particularly better than the other ?
There might be circumstances in which LDAP is better; but knowing how
the protocols works and the failure modes of the two modules in
FreeRADIUS, I doubt it.
It also means you don't need a username to bind to LDAP for you; which
is just another bit of config to get wrong, out of data, expired
password, or compromised...
If you don't need LDAP for other reasons (e.g. groups) then don't bother
with it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html