[Freeipa-users] freeRADIUS?

Jimmy g17jimmy at gmail.com
Wed Oct 5 13:54:28 UTC 2011


Thanks. I will look into it and get back with more info.

On Wed, Oct 5, 2011 at 9:44 AM, Dmitri Pal <dpal at redhat.com> wrote:

> On 10/04/2011 11:14 AM, John Dennis wrote:
> > On 10/04/2011 10:50 AM, Jimmy wrote:
> >> I've been searching and see a few references to freeRADIUS used with
> >> FreeIPA, but I don't see any substantial information on the subject. Is
> >> there a procedure to use FreeIPA with freeRADIUS? I have a standalone
> >> openldap/freeradius server that I would like to eliminate if possible.
> >
> > Integrating FreeRADIUS with IPA is on the long term roadmap. It's not
> > as easy as one might imagine. The fundamental problem is that many of
> > the RADIUS authentication methods require access to the user's
> > cleartext password or hashes we feel are insecure. This presents a
> > design issue for us to resolve, as such it has been pushed out.
> >
> > Refer to this chart for more information:
> >
> > http://deployingradius.com/documents/protocols/compatibility.html
> >
> >
> OK. This could have created a wrong impression the freeRADIUS can't be
> used now with IPA. This is wrong. There is no tight integration but IPA
> for sure can act as an "authentication oracle" for freeRADIUS.
> http://deployingradius.com/documents/protocols/oracles.html
>
> You have to use: EAP-TTLS as an outer tunnel, PAP as an inner tunnel and
> configure freeRADIUS to do bind operation against IPA as if it is an
> LDAP server (or you can use pam for that if you want, with SSSD you
> might get offline caching if you connection between RADIUS host and IPA
> might be disrupted, but if they are on the same box or connection is
> reliable it might make sense to use direct ldap bind rather than use the
> PAM stack) .
> How to do all this can be found in the RADIUS manual. If you find some
> interesting gotchas related to IPA or SSSD in this setup please share
> with us. Also if you find this information not sufficient let us know
> and we will try to help you find the right documentation.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111005/dba6c364/attachment.htm>


More information about the Freeipa-users mailing list