On 08/26/2009 04:16 AM, Rachid Zarouali wrote:
Hello Dimitri,
I'll try to answer your questions the best i can :-)

Basically we plain to use the ldap ipa password.
at first we want to use radius for authentication only.

i'm not sure about what you call outer/inner methods :(
the base of the authentication is the project is the ipa ldap
on which we try to connect a freeradius server which is used to authenticate 
admin's on router/firewall .....

am i clear ?

If it's just admin access on a router/firewall I don't see a problem at the moment. You should be able to use PAP on the router/firewall, it encrypts the plaintext password and sends it to the freeradius server which decrypts resulting in the plaintext password. The freeradius server would then be configured to use Kerberos, it uses the plaintext password and obtains a TGT (i.e. it does a kinit on behalf of the user) if this is successful the radius authentication is successful. All this should work "out of the box" for both IPA and FreeRADIUS (although you'll have to edit the FreeRADIUS config to enable krb5).

We're not thrilled with this solution because the radius server sees a plaintext password (although it's encrypted during transport). The security is adequate but not ideal. Safer authentication methods require us to do more integration work between IPA and FreeRADIUS, which at the moment is a deferred work item.
John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to