[RADIATOR] Ideas on Radiator setup with OpenLDAP and Kerberos serving Windows and Ubuntu Clients

Heikki Vatiainen hvn at open.com.au
Thu Jan 31 08:53:42 CST 2013 

On 01/30/2013 05:54 PM, Nicola Volpini wrote:

> Our Idea is to use either PEAP/MSCHAPv2 for ease of deployment or
> EAP-TLS, both providing the cross platform compatibility we aim for.
> After the authentication the user would be mapped to the right vlan by
> the switch depending on her/his "gid" value obtained via an LDAP query

This is possible. The exact method depends on the organisation, some
have groups which have VLAN ids as part of group names, some use a
hardwired group membership -> VLAN mapping and others may specify VLAN
directly for the user object.

>>From what I understood the choice between PEAP and EAP-TLS is mainly
> dependent on the compatibility with our current user/password store. If
> I got it correctly, it's mandatory to have passwords stored in cleartext
> to allow PEAP/MSCHAPv2 to work, which is not our case since we hash the
> passwords.

NT Hash would work too. See goodies/nthash.pl for the expected format.

> Even if this setup worked I assume we would still need the user to
> reconfigure the supplicant every 90 days (we enforce a password change)
> which is kinda annoying for them.

Alan suggested using PEAP for password change. That would require
MSCHAP-V2 password change support which is not, at least currently,
supported. Or was it something else?

> At this point EAP-TLS would be the way to go! A question arises tough:
> are the EAP-TLS certs generated specifically for the user or for the
> machine?

As you mentioned, this is not a Radiator issue because it does not care
if the certificate is for a human or a machine. The minimum Radiator
requires is matching CA certificate. The certificate management is the
hard part with EAP TLS.

If you take a look at goodies/eap_tls.cfg and change AuthBy FILE to
AuthBy LDAP2, you can use this to do LDAP based checks for certificate
validity.

Thanks,
Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list