On 10/04/2011 11:14 AM, John Dennis wrote:
> On 10/04/2011 10:50 AM, Jimmy wrote:
>> I've been searching and see a few references to freeRADIUS used with
>> FreeIPA, but I don't see any substantial information on the subject. Is
>> there a procedure to use FreeIPA with freeRADIUS? I have a standalone
>> openldap/freeradius server that I would like to eliminate if possible.
> Integrating FreeRADIUS with IPA is on the long term roadmap. It's not
> as easy as one might imagine. The fundamental problem is that many of
> the RADIUS authentication methods require access to the user's
> cleartext password or hashes we feel are insecure. This presents a
> design issue for us to resolve, as such it has been pushed out.
> Refer to this chart for more information:
> http://deployingradius.com/documents/protocols/compatibility.html
OK. This could have created a wrong impression the freeRADIUS can't be
used now with IPA. This is wrong. There is no tight integration but IPA
for sure can act as an "authentication oracle" for freeRADIUS.

You have to use: EAP-TTLS as an outer tunnel, PAP as an inner tunnel and
configure freeRADIUS to do bind operation against IPA as if it is an
LDAP server (or you can use pam for that if you want, with SSSD you
might get offline caching if you connection between RADIUS host and IPA
might be disrupted, but if they are on the same box or connection is
reliable it might make sense to use direct ldap bind rather than use the
PAM stack) .
How to do all this can be found in the RADIUS manual. If you find some
interesting gotchas related to IPA or SSSD in this setup please share
with us. Also if you find this information not sufficient let us know
and we will try to help you find the right documentation.

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to