On 08/26/2009 04:16 AM, Rachid Zarouali wrote:
I'll try to answer your questions the best i can :-)
Basically we plain to use the ldap ipa password.
at first we want to use radius for authentication only.
i'm not sure about what you call outer/inner methods :(
the base of the authentication is the project is the ipa ldap
on which we try to connect a freeradius server which is used to authenticate
admin's on router/firewall .....
am i clear ?
If it's just admin access on a router/firewall I don't see a problem at
the moment. You should be able to use PAP on the router/firewall, it
encrypts the plaintext password and sends it to the freeradius server
which decrypts resulting in the plaintext password. The freeradius
server would then be configured to use Kerberos, it uses the plaintext
password and obtains a TGT (i.e. it does a kinit on behalf of the user)
if this is successful the radius authentication is successful. All this
should work "out of the box" for both IPA and FreeRADIUS (although
you'll have to edit the FreeRADIUS config to enable krb5).
We're not thrilled with this solution because the radius server sees a
plaintext password (although it's encrypted during transport). The
security is adequate but not ideal. Safer authentication methods require
us to do more integration work between IPA and FreeRADIUS, which at the
moment is a deferred work item.
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
Freeipa-users mailing list