(RADIATOR) Mac-Adress Check and LDAP on OS X
Christian Kratzer
ck-lists at cksoft.de
Tue Mar 1 12:57:55 CST 2005
Hi,
On Tue, 1 Mar 2005, Hugh Irvine wrote:
>
> Hello Urs -
>
> Your AuthBy FILE should only check the MAC addresses.
>
> # list MAC addresses
>
> 0030.6503.0a96 Auth-Type = ACCEPT
>
> ......
>
>
> The AuthBy LDAP2 should be called after the AuthBy FILE.
>
> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
> AuthByPolicy ContinueWhileAccept
> AuthBy CheckMACAddress
> AuthBy CheckLDAP
> </Handler>
>
> BTW - you can only store cleartext passwords when using LEAP.
>
> And I'm not sure whether ServerChecksPasswords will work in this scenario.
it will not.
ServerChecksPassword just passes the username/password combination to
the ldap bind. This rules out any challenge / response based
authentication schemes like espcially chap and mschap2.
So CHAP is currently only possible if the password is accessible in
cleartext via an LDAP attribute which is why we have not yet been
able to get 802.1X PEAP to work with AuthLDAP2 against Active Diretory.
What I have been thinking about in this context is if there could be an
advanced version of ServerChecksPassword called ServerChecksPasswordUsingSASL
that would use sasl to attempt an ldap bind.
Sasl should allow radiator to proxy the challenge response back to the nas.
I am not sure if this could be done. If yes this could be big pain saver
for all active directory installations.
Greetings
Christian
--
Christian Kratzer ck at cksoft.de
CK Software GmbH http://www.cksoft.de/
Phone: +49 7452 889 135 Fax: +49 7452 889 136
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list