[RADIATOR] Ideas on Radiator setup with OpenLDAP and Kerberos serving Windows and Ubuntu Clients

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Wed Jan 30 13:46:00 CST 2013


Hi,

> >From what I understood the choice between PEAP and EAP-TLS is mainly
> dependent on the compatibility with our current user/password store. If
> I got it correctly, it's mandatory to have passwords stored in cleartext
> to allow PEAP/MSCHAPv2 to work, which is not our case since we hash the
> passwords. Authenticating to Kerberos is also apparently not possible
> because we're not using digest!

shame

> Even if this setup worked I assume we would still need the user to
> reconfigure the supplicant every 90 days (we enforce a password change)
> which is kinda annoying for them.

you can sent 'enter new password' requests during PEAP auth phase...so they dont
need to reconfigure their supplicant..just update the profile

> At this point EAP-TLS would be the way to go! A question arises tough:
> are the EAP-TLS certs generated specifically for the user or for the
> machine? The former would be preferred since we could then extract the
> username and proceed with an LDAP query, subsequently obtaining the
> aforementioned "gid" value to map the right switch port... but then, how
> would the user be provided her/his first cert on linux when logging in
> for the first time? Argh... this is not really a Radiator issue, I know :)

EAP-TLS opens the can of worms that is PKI and full PKI management. you probably
also dont want them to be able to just download their cert and slap it onto anything..
or give it to someone else. using some guest network (cisco switches, for example,
give you an 802.1X fail or guest VLAN option...) the guest vlan could be a walled
garden given them access to the required boot-strap/setup environment

alan


More information about the radiator mailing list