EAP and System users?
Hi, We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users. We can get it to do one or the other, but not both. Is it possible to do both? If so, how? Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and System users?
Matt Ashfield wrote: We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users. http://deployingradius.com/documents/protocols/compatibility.html LDAP doesn't do CHAP, so I'm not sure what you mean. The only EAP methods that are compatible with /etc/password is EAP-GTC, or TTLS with tunneled PAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and System users?
I guess what I meant was that we'd want to authenticate the user in one of two ways: (1) as a System User. So the clients credentials would be compared against the system users, OR, if no such user exists (2) verify the client against credentials stored in LDAP. Both of these scenarios work individually. Meaning I can configure FR to authenticate System users. I can also configure FR to authenticate against LDAP. But we cannot seem to combine them and offer both options. Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: March 9, 2007 11:21 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: EAP and System users? Matt Ashfield wrote: We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users. http://deployingradius.com/documents/protocols/compatibility.html LDAP doesn't do CHAP, so I'm not sure what you mean. The only EAP methods that are compatible with /etc/password is EAP-GTC, or TTLS with tunneled PAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and System users?
Matt Ashfield wrote:
I guess what I meant was that we'd want to authenticate the user in one of
two ways:
(1) as a System User. So the clients credentials would be compared against
the system users,
OR, if no such user exists
(2) verify the client against credentials stored in LDAP.
See doc/configurable_failover.
It's easier in the CVS head, because the unix module doesn't have an
authenticate section any more, as it doesn't need one. There, you can do:
group {
unix {
updated = return
}
ldap
}
Both of these scenarios work individually. Meaning I can configure FR to
authenticate System users. I can also configure FR to authenticate against
LDAP. But we cannot seem to combine them and offer both options.
Perhaps you could paste part of your configuration part of the
debug log.
Odds are you're forcing system authentication, so that works... OR
you're forcing LDAP, so that works. But forcing one means that the
other is forbidden.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
