[Freeipa-users] freeipa radius cisco
Dmitri Pal
dpal at redhat.com
Tue Jan 15 20:32:55 UTC 2013
On 01/15/2013 11:09 AM, Simo Sorce wrote:
> On Tue, 2013-01-15 at 16:39 +0100, Han Boetes wrote:
>> Hi,
>>
>>
>> Since most of our cisco images do not support encryption the apparent
>> way to go is using radius which is supported by most cisco devices.
>>
>>
>> What is the current status for making this wonderful idea work in the
>> real world.
>>
> We haven;t resumed work to integrate radius as a full feature component
> of FreeIPA yet, sorry.
>
> Simo.
>
But this does not mean that you can't use freeradius with LDAP, Kerberos
or PAM plugin.
You do not need to have integrated radius to get auth from IPA.
http://wiki.freeradius.org/modules/Rlm_ldap
http://wiki.freeradius.org/modules/Rlm_krb5
http://wiki.freeradius.org/modules/Rlm_pam
Just configure freeradius to use one of those authentication methods and
you can use it with freeIPA.
http://deployingradius.com/documents/protocols/oracles.html
We recommend to configure EAP-TTLS if your infrustucture supports it and
use PAP as an inner method.
If this is not possible you would have to use PAP so you need to use
pretty long secrets (i would say 20 bytes at least).
Keep in mind that not tunneled PAP is based on MD5 which would be a
problem if your environment needs to comply with different compliance
acts; tunneling would be a must.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list