(RADIATOR) Mac-Adress Check and LDAP on OS X
Urs Landis
urs.landis at mac.com
Tue Mar 1 13:10:00 CST 2005
Thanks for the Info Christian
i got the same result, but whats about TTLS, TLS, PEAP and MD5 where
will ServerChecksPassword run and where not?
Best regards
Urs Landis
ICT
Kantonsschule
Hohe Promenade
Postfach
Promenadengasse 11
CH-8090 Zürich
Tel: 044 - 268 36 29
Nat: 079 - 400 40 01
Am 01.03.2005 um 19:57 schrieb Christian Kratzer:
> Hi,
>
> On Tue, 1 Mar 2005, Hugh Irvine wrote:
>
>>
>> Hello Urs -
>>
>> Your AuthBy FILE should only check the MAC addresses.
>>
>> # list MAC addresses
>>
>> 0030.6503.0a96 Auth-Type = ACCEPT
>>
>> ......
>>
>>
>> The AuthBy LDAP2 should be called after the AuthBy FILE.
>>
>> <Handler NAS-Port-Type=Wireless-IEEE-802-11>
>> AuthByPolicy ContinueWhileAccept
>> AuthBy CheckMACAddress
>> AuthBy CheckLDAP
>> </Handler>
>>
>> BTW - you can only store cleartext passwords when using LEAP.
>>
>> And I'm not sure whether ServerChecksPasswords will work in this
>> scenario.
>
> it will not.
>
> ServerChecksPassword just passes the username/password combination to
> the ldap bind. This rules out any challenge / response based
> authentication schemes like espcially chap and mschap2.
>
> So CHAP is currently only possible if the password is accessible in
> cleartext via an LDAP attribute which is why we have not yet been able
> to get 802.1X PEAP to work with AuthLDAP2 against Active Diretory.
>
> What I have been thinking about in this context is if there could be an
> advanced version of ServerChecksPassword called
> ServerChecksPasswordUsingSASL
> that would use sasl to attempt an ldap bind.
>
> Sasl should allow radiator to proxy the challenge response back to the
> nas.
>
> I am not sure if this could be done. If yes this could be big pain
> saver
> for all active directory installations.
>
> Greetings
> Christian
>
> --
> Christian Kratzer ck at cksoft.de
> CK Software GmbH http://www.cksoft.de/
> Phone: +49 7452 889 135 Fax: +49 7452 889 136
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2122 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050301/78208252/attachment.bin>
More information about the radiator
mailing list