(RADIATOR) 802.1x, MD5 and LDAP
Rodger Hanson
rodger.hanson at manukau.ac.nz
Wed Jun 30 14:02:46 CDT 2004
Begin forwarded message:
From: Christopher Stott <chris at manukau.ac.nz>
Date: 29 June 2004 11:28:34 AM
To: radiator at open.com.au
Subject: 802.1x, MD5 and LDAP
Hello,
I'm new to this game and somewhat confused :-(
I have a simple desire to use a single encrypted password in my directory
server. I'd allow access to services based on successful authentication
against LDAP and other attribute values held within the directory server.
This plan works fine with the <AuthBy LDAP2> clause and postauthhook files
for my dial-in and vpn systems. However, once I try to use an 802.1x
wireless access point I run into issues. It would appear that the password
check assumes LDAP returns a clear text password. This seems a little odd as
this was not the case in my dial-in and vpn setups.
I really don't want to create another password (and keep it in the clear) on
the directory server as I'll run into all manner of issues with password
consistency.
I've toyed with idea of a preauthhook file to create a dummy passwd file for
an <AuthBy Unix> and a postauthhook to get rid of the junk. <AuthBy
EXTERNAL> looks interesting but both of these solutions seem to be making
the issue more complex than it probably needs to be.
Any hints, tips, advice please?
Chris.
8<-------- 8<-------- 8<-------- Stuff out of the cfg file. 8<--------
8<-------- 8<--------
<Client a.b.c.d>
Description Foundry-Wireless-AP
# Can't see a Foundry dictionary, lets use cisco for now
NasType Cisco
Identifier Foundry-Wireless-AP
Secret ************
DupInterval 0
IgnoreAcctSignature
</Client>
<Handler Client-Identifier=Foundry-Wireless-AP>
<AuthBy LDAP2>
Identifier Foundry-Wireless-AP
EAPType MD5-Challenge
Host ldap.at.my.place
Port 389
AuthDN uid=the_boss
AuthPassword ***********
BaseDN search_base
UsernameAttr uid
PasswordAttr userPassword
Description Foundry-Wireless-AP
</AuthBy>
PostAuthHook file:"PostAuthCheck"
AcctLogFileName /var/log/radius/Foundry-Wireless-AP.log
</Handler>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040701/573c50f1/attachment.html>
More information about the radiator
mailing list