Versions Compared

Old Version 7

changes.mady.by.user Stefan Paetow

Saved on

compared with

New Version Current

changes.mady.by.user hlf

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added link

When using FreeRADIUS with LDAP passthrough authentication, such as OpenLDAP with SASL or Kerberos passthrough, you are very restricted in what you can do.

DeployingRADIUS, Alan DeKok's site, has a handy compatibility matrix that lists authentication systems and their authentication protocol compatibility. LDAP servers with passthrough authentication require you to bind to LDAP as the user, which in the compatibility matrix limits you to PAP authentication and its EAP variations (such as EAP-TTLS/PAP and EAP-TTLS/EAP-GTC with PAP).

...

Note

It is assumed here that you will modify the default server available in FreeRADIUS's sites. For tunneled requests, such as EAP, you must modify inner-tunnel instead inner-tunnel site as Moonshot will use EAP-TTLS, and set the default EAP type in the ttls section to gtc for PAP support.

  1. Insert into the bottom of the authorize section after the pap line the following:

    Code Block
    languagebash
    if (User-Password) {
	update control {
		Auth-Type := ldap
	}
}

  2. In the authenticate section, modify the Auth-Type PAP option as shown below:

    Code Block
    languagebash
    Auth-Type PAP {
	# pap
	ldap
}
  3. Additionally, remove the comment from the ldap line in the Auth-Type LDAP block, but not the block itself.
  4. Save the file.

...