[Freeipa-devel] How we should be integrating RADIUS
John Dennis
jdennis at redhat.com
Thu Nov 8 14:51:02 UTC 2007
Andrew Bartlett wrote:
> I came across this HOWTO about RADIUS, and I think it explains very well
> why we need to have FreeRADIUS use Samba for MS-CHAP authentication.
>
> If we set it up right, this should 'just work' against the local Samba
> as a frontend to FreeIPA.
>
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
>
> I realise Samba isn't part of FreeIPA yet, but this just gives us
> another reason why it needs to be. I've looked over the patch for
> FreeIPA inclusion, but I can't quite see how to translate that into
> Samba (3) inclusion.
Thanks for the pointer Andrew, I'm familiar with the document. I'm sure
at some point we may want to authenticate against AD but initially we're
authenticating against IPA. There are many possible scenarios with how
customers will want to use radius, our going in plan is to keep it
simple for V1.
One of the challenges of integrating radius into IPA is the fact radius
is best thought of as a toolkit with multiple ways of setting it up
tailored to the needs of the site. I think we're going to end up with a
handful of pre-canned configurations that IPA supports, mschap/ntlm will
will certainly be one of them in order to support Windows clients.
Figuring out how we're going to handle mschap/ntlm is on hold till V2.
--
John Dennis <jdennis at redhat.com>
More information about the Freeipa-devel
mailing list