Re: Configuration questions for FreeRadius with EAP/TTLS and LDAP
Nic Bernstein <[EMAIL PROTECTED]> wrote: > I can see from the comments in the radiusd.conf file how to tell the > radius server where to find which certificate(s) to use for EAP/TLS > operation, but how does one specify what certificate to use for (the > initial TLS phase of) the EAP/TTLS operation? It uses the TLS certificates, as configured in the TLS module. > When using LDAP for authentication, passwords are not necessarily in > clear text. Am I to understand the above to mean that I must store my > passwords in LDAP in clear text for EAP to work? For EAP-MD5, and EAP-TTLS with tunneled CHAP, MS-CHAP, and EAP-MD5. > If anyone is successfully using EAP/TTLS, especially in concert with > LDAP, I would certainly appreciate some configuration examples. You shouldn't have to do anything special to get TTLS working with LDAP. Get LDAP working, uncomment the TTLS module, and the tunneled authentication request will use the pre-existing LDAP configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration questions for FreeRadius with EAP/TTLS and LDAP
We are trying to configure freeradius-snapshot-20030911 to use EAP/TTLS with LDAP (OpenLDAP 2.0.27). I have a few questions, however. I can see from the comments in the radiusd.conf file how to tell the radius server where to find which certificate(s) to use for EAP/TLS operation, but how does one specify what certificate to use for (the initial TLS phase of) the EAP/TTLS operation? Also, the file doc/rlm_eap states: The radius server needs a plaintext password so that it can perform the same one-way hash to determine that the password is correct. When using LDAP for authentication, passwords are not necessarily in clear text. Am I to understand the above to mean that I must store my passwords in LDAP in clear text for EAP to work? If anyone is successfully using EAP/TTLS, especially in concert with LDAP, I would certainly appreciate some configuration examples. Thanks in advance, -nic -- Nic Bernstein [EMAIL PROTECTED] Onlight llc. www.onlight.com 757 North Water Streetv. 414.272.4477 Milwaukee, Wisconsin 53202 f. 414.290.0335 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration questions
Didn't see this hit the list yesterday. Sending again.
Thank you Chris, it's working perfectly.
A question regarding attributes and ldap. I cannot put all my attributes
in LDAP because one of my vendors doesn't work when it receives cisco av
pair AND ascend data filter. I noticed the following in documentation:
# default: NULL - use only user specific attributes or attributes,
# supplied by other modules.
What other module(s) would be apropriate? I didn't see any other
documentation. rlm_attr_filter doesn't look like what I need.
Again, any help is apreciated.
--JST
On Wed, 22 Aug 2001, Chris Parker wrote:
> Date: Wed, 22 Aug 2001 09:52:12 -0500
> From: Chris Parker <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Configuration questions
>
> At 12:15 AM 8/22/2001 -0700, you wrote:
>
> >Greetings list members.
> >
> >I am testing free radius currently and have a couple questions.
> >
> >I use the LDAP module for authentication. I have two realms, each on
> >separate DN's. How can I have two separate ldap configurations?
>
> You can declare them as two separate instances in the config file:
>
> modules {
> ...
> ldap LDAPONE{
> server = "server1.foobar.biz"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%u)"
> ...
> }
> ldap LDAPTWO{
> server = "server2.foobar.biz"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%u)"
> ...
> }
> ...
> }
>
> Then call the modules as LDAPONE and LDAPTWO in the auth sections. See
> the SQL module examples on how to do multiple instances.
>
>
> >It would be neat to be able to specify ldap_realma { binddn= etc..} and
> >then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
> >the authenticate block. Is there current structure for this,
> >or do I need a second radius server/implementation to do this properly?
>
> Read the docs, and look at the examples. This is explained in intricate
> detail in 'doc/configurable_failover'.
>
> >Secondly, do we have the ability to send attributes back to specific
> >radius clients? I like to apply SMTP filters to NAS devices via
> >attributes such as 242, but this becomes difficult when you have some
> >ascend, cisco, portmaster, and cvx boxes on your network.
> >
> >I need to be able to do attributes X for client A (or maybe client group
> >A?) and attributes N for client B.
>
> I have a similar need, as cisco's and pm's require slightly different
> syntax for 'Filter-ID' ( appending a .in to cisco's ). For things other
> than that, you can send attributes from other vendors, and they should
> be ignored by other vendors. However, not all vendors read the same
> RFC apparently, so this may not be the case, but that's another rant. :)
>
> For now, there isn't a way to do what you want, but there is a need for
> something similar, so have patience and it'll be there.
>
> -Chris
> --
> \\\|||/// \ Chris Parker-Manager, Development Engineering
> \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
> | @ @ |\ http://www.starnetwx.net \ (847) 963-0116
> oOo---(_)---oOo--\--
>\ Without C we would have 'obol', 'basi', and 'pasal'
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
___
J. S. Townsley Senior Network and Systems Engineer
[EMAIL PROTECTED] Integrity Online
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration questions
Thank you Chris, it's working perfectly.
A question regarding attributes and ldap. I cannot put all my attributes
in LDAP because one of my vendors doesn't work when it receives cisco av
pair AND ascend data filter. I noticed the following in documentation:
# default: NULL - use only user specific attributes or attributes,
# supplied by other modules.
What other module(s) would be apropriate? I didn't see any other
documentation. rlm_attr_filter doesn't look like what I need.
Again, any help is apreciated.
--JST
On Wed, 22 Aug 2001, Chris Parker wrote:
> Date: Wed, 22 Aug 2001 09:52:12 -0500
> From: Chris Parker <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Configuration questions
>
> At 12:15 AM 8/22/2001 -0700, you wrote:
>
> >Greetings list members.
> >
> >I am testing free radius currently and have a couple questions.
> >
> >I use the LDAP module for authentication. I have two realms, each on
> >separate DN's. How can I have two separate ldap configurations?
>
> You can declare them as two separate instances in the config file:
>
> modules {
> ...
> ldap LDAPONE{
> server = "server1.foobar.biz"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%u)"
> ...
> }
> ldap LDAPTWO{
> server = "server2.foobar.biz"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%u)"
> ...
> }
> ...
> }
>
> Then call the modules as LDAPONE and LDAPTWO in the auth sections. See
> the SQL module examples on how to do multiple instances.
>
>
> >It would be neat to be able to specify ldap_realma { binddn= etc..} and
> >then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
> >the authenticate block. Is there current structure for this,
> >or do I need a second radius server/implementation to do this properly?
>
> Read the docs, and look at the examples. This is explained in intricate
> detail in 'doc/configurable_failover'.
>
> >Secondly, do we have the ability to send attributes back to specific
> >radius clients? I like to apply SMTP filters to NAS devices via
> >attributes such as 242, but this becomes difficult when you have some
> >ascend, cisco, portmaster, and cvx boxes on your network.
> >
> >I need to be able to do attributes X for client A (or maybe client group
> >A?) and attributes N for client B.
>
> I have a similar need, as cisco's and pm's require slightly different
> syntax for 'Filter-ID' ( appending a .in to cisco's ). For things other
> than that, you can send attributes from other vendors, and they should
> be ignored by other vendors. However, not all vendors read the same
> RFC apparently, so this may not be the case, but that's another rant. :)
>
> For now, there isn't a way to do what you want, but there is a need for
> something similar, so have patience and it'll be there.
>
> -Chris
> --
> \\\|||/// \ Chris Parker-Manager, Development Engineering
> \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
> | @ @ |\ http://www.starnetwx.net \ (847) 963-0116
> oOo---(_)---oOo--\--
>\ Without C we would have 'obol', 'basi', and 'pasal'
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
___
J. S. Townsley Senior Network and Systems Engineer
[EMAIL PROTECTED] Integrity Online
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration questions
At 12:15 AM 8/22/2001 -0700, you wrote:
>Greetings list members.
>
>I am testing free radius currently and have a couple questions.
>
>I use the LDAP module for authentication. I have two realms, each on
>separate DN's. How can I have two separate ldap configurations?
You can declare them as two separate instances in the config file:
modules {
...
ldap LDAPONE{
server = "server1.foobar.biz"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%u)"
...
}
ldap LDAPTWO{
server = "server2.foobar.biz"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%u)"
...
}
...
}
Then call the modules as LDAPONE and LDAPTWO in the auth sections. See
the SQL module examples on how to do multiple instances.
>It would be neat to be able to specify ldap_realma { binddn= etc..} and
>then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
>the authenticate block. Is there current structure for this,
>or do I need a second radius server/implementation to do this properly?
Read the docs, and look at the examples. This is explained in intricate
detail in 'doc/configurable_failover'.
>Secondly, do we have the ability to send attributes back to specific
>radius clients? I like to apply SMTP filters to NAS devices via
>attributes such as 242, but this becomes difficult when you have some
>ascend, cisco, portmaster, and cvx boxes on your network.
>
>I need to be able to do attributes X for client A (or maybe client group
>A?) and attributes N for client B.
I have a similar need, as cisco's and pm's require slightly different
syntax for 'Filter-ID' ( appending a .in to cisco's ). For things other
than that, you can send attributes from other vendors, and they should
be ignored by other vendors. However, not all vendors read the same
RFC apparently, so this may not be the case, but that's another rant. :)
For now, there isn't a way to do what you want, but there is a need for
something similar, so have patience and it'll be there.
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration questions
Greetings list members.
I am testing free radius currently and have a couple questions.
I use the LDAP module for authentication. I have two realms, each on
separate DN's. How can I have two separate ldap configurations?
It would be neat to be able to specify ldap_realma { binddn= etc..} and
then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
the authenticate block. Is there current structure for this,
or do I need a second radius server/implementation to do this properly?
Secondly, do we have the ability to send attributes back to specific
radius clients? I like to apply SMTP filters to NAS devices via
attributes such as 242, but this becomes difficult when you have some
ascend, cisco, portmaster, and cvx boxes on your network.
I need to be able to do attributes X for client A (or maybe client group
A?) and attributes N for client B.
If anyone has any insight, suggestions, or simply wants to point me to
some more documentation please reply.
Thanks much,
--JST
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
