[Freeipa-users] freeRADIUS?

John Dennis jdennis at redhat.com
Wed Oct 5 14:28:07 UTC 2011 

On 10/05/2011 09:44 AM, Dmitri Pal wrote:
> On 10/04/2011 11:14 AM, John Dennis wrote:
>> On 10/04/2011 10:50 AM, Jimmy wrote:
>>> I've been searching and see a few references to freeRADIUS used with
>>> FreeIPA, but I don't see any substantial information on the subject. Is
>>> there a procedure to use FreeIPA with freeRADIUS? I have a standalone
>>> openldap/freeradius server that I would like to eliminate if possible.
>>
>> Integrating FreeRADIUS with IPA is on the long term roadmap. It's not
>> as easy as one might imagine. The fundamental problem is that many of
>> the RADIUS authentication methods require access to the user's
>> cleartext password or hashes we feel are insecure. This presents a
>> design issue for us to resolve, as such it has been pushed out.
>>
>> Refer to this chart for more information:
>>
>> http://deployingradius.com/documents/protocols/compatibility.html
>>
>>
> OK. This could have created a wrong impression the freeRADIUS can't be
> used now with IPA. This is wrong. There is no tight integration but IPA
> for sure can act as an "authentication oracle" for freeRADIUS.
> http://deployingradius.com/documents/protocols/oracles.html
>
> You have to use: EAP-TTLS as an outer tunnel, PAP as an inner tunnel and
> configure freeRADIUS to do bind operation against IPA as if it is an
> LDAP server (or you can use pam for that if you want, with SSSD you
> might get offline caching if you connection between RADIUS host and IPA
> might be disrupted, but if they are on the same box or connection is
> reliable it might make sense to use direct ldap bind rather than use the
> PAM stack) .
> How to do all this can be found in the RADIUS manual. If you find some
> interesting gotchas related to IPA or SSSD in this setup please share
> with us. Also if you find this information not sufficient let us know
> and we will try to help you find the right documentation.
>

Sure, but the typical stumbling block is that in the majority of cases 
the goal is transparent wireless authentication by supplicants in their 
default configuration. It's usually difficult to get users to properly 
configure their supplicants and for some versions of Windows it may not 
be possible at all without installing a different supplicant. Then there 
is is the issue of getting the radius CA cert into each client or 
telling users to disable cert validation which is not something we 
should be doing. In short, there are logistical problems which may not 
meet real world needs. It's hard to know a prori if the above will meets 
the needs or not, perhaps it will so it's good Dmitri posted the suggestion.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list