Re: Thoughts on a FreeRadius setup with OpenLDAP and Kerberos serving Windows and Ubuntu Clients
On 01/24/2013 03:35 PM, a.l.m.bu...@lboro.ac.uk wrote: > Hi Alan, Thanks for all the information. Much appreciated, at least we can move from there. Nicola -- Nicola Volpini Infrastructure Operations The information in this email is confidential and may be legally privileged. If you are not the intended recipient, you must not read, use or disseminate that information and upon reception, permanently delete the original and destroy any copies. Although this email and any attachments are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by Kambi for any loss or damage arising in any way from receipt or use thereof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Thoughts on a FreeRadius setup with OpenLDAP and Kerberos serving Windows and Ubuntu Clients
Hi, >1. user authentication and authorisation against our OpenLDAP directory, >which is currently setup to store passwords with a SASL mechanism (the >pass is hashed, and Apache Directory Studio shows the value of the >UserPassword attribute of each user as "SASL hashed password". This note >is important, see further on) you can use external code for validationbut that could get tricky for different EAP types >2. Switchport dynamic VLAN assignment on the Cisco Catalyst switches >depending on the gidNumber of the user not a problem. reply items can contain whatever you need...which can be gleaned from whatever oracle you choose >3. Multiplatform support (Windows 7, Ubuntu 10.04, Ubuntu 12.04) ..they all do EAP >4. FreeRadius server certificate validation (no client certificates used) >and 802.1x authentication by providing user/pass works out of the box. >software succeeds and gives me an accept-accept. Intentionally mistyping >the pass gives a reject. What am I doing wrong? Is the radtest tool using >some other mechanism then MSCHAPv2? radtest is a PAP method - you need to use eg eapol_test (part of wpa_supplicant package) or radeaptest with required configuration files.or any other test tool (NTRadping for windows , JRadiusSimulator etc) >2. this appears to be fairly easy to achieve by configuring the users file >with one line per LDAP group like "DEFAULT LdapGroup == xxx" to return >the "Tunnel-private-group-ID [81]" VDA depending on the match... or maybe >in some other place of the config via ulang? I still need to understand >how it works that method (users file) is basic but works. unlang or external script can also be used client certificates would mean no problem with LDAP for authentication. then you just need to work out how to deploy the client certs.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html