Thanks. I will look into it and get back with more info. On Wed, Oct 5, 2011 at 9:44 AM, Dmitri Pal <[email protected]> wrote:
> On 10/04/2011 11:14 AM, John Dennis wrote: > > On 10/04/2011 10:50 AM, Jimmy wrote: > >> I've been searching and see a few references to freeRADIUS used with > >> FreeIPA, but I don't see any substantial information on the subject. Is > >> there a procedure to use FreeIPA with freeRADIUS? I have a standalone > >> openldap/freeradius server that I would like to eliminate if possible. > > > > Integrating FreeRADIUS with IPA is on the long term roadmap. It's not > > as easy as one might imagine. The fundamental problem is that many of > > the RADIUS authentication methods require access to the user's > > cleartext password or hashes we feel are insecure. This presents a > > design issue for us to resolve, as such it has been pushed out. > > > > Refer to this chart for more information: > > > > http://deployingradius.com/documents/protocols/compatibility.html > > > > > OK. This could have created a wrong impression the freeRADIUS can't be > used now with IPA. This is wrong. There is no tight integration but IPA > for sure can act as an "authentication oracle" for freeRADIUS. > http://deployingradius.com/documents/protocols/oracles.html > > You have to use: EAP-TTLS as an outer tunnel, PAP as an inner tunnel and > configure freeRADIUS to do bind operation against IPA as if it is an > LDAP server (or you can use pam for that if you want, with SSSD you > might get offline caching if you connection between RADIUS host and IPA > might be disrupted, but if they are on the same box or connection is > reliable it might make sense to use direct ldap bind rather than use the > PAM stack) . > How to do all this can be found in the RADIUS manual. If you find some > interesting gotchas related to IPA or SSSD in this setup please share > with us. Also if you find this information not sufficient let us know > and we will try to help you find the right documentation. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
