[Freeipa-users] freeipa radius cisco
John Dennis
jdennis at redhat.com
Fri Jan 18 15:50:29 UTC 2013
On 01/18/2013 10:13 AM, John Dennis wrote:
> On 01/18/2013 09:31 AM, Han Boetes wrote:
>> In the users file
>> DEFAULT Auth-Type = Kerberos
>> Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"
>
> Be careful!
>
> It's almost never a good idea to set the Auth-Type in the user config.
> Why? Because normally the server figures out the best Auth-Type to use
> for a given Auth-Request based on the contents of the Auth-Request
> packet. The contents of the Auth-Request packet depends exclusively on
> the configuration of the user's device, something you typically do not
> have control over (think of random user trying to connect with unknown
> device).
>
> The FR server figures out which Auth-Type to use based on it's
> configuration and set of policy rules, all of which you can write.
>
> The problem comes when a user sends an Auth-Request whose contents does
> not math the Auth-Type you've forced on them, then things will
> completely *fail*.
>
> Using DEFAULT for the Auth-Type is even a more pernicious problem
> because you're saying apply this to everyone that lands in the default
> category.
>
> There are a few Auth-Type's the server can't figure out on it's own,
> kerberos is one of them (because fundamentally it's no different than
> pap in terms of what the client sends). There are a number of approaches
> one can take to address this issue via policy configuration in the
> server, but I'm sorry to say I don't have time to document and test all
> those at the moment.
>
> All I'm trying to say is what you've done above will work only in a very
> constrained scenario, it is not a general solution. The FreeRADIUS list
> is filled with folks attempts to force an Auth-Type in the users file
> only to discover their woes.
>
Here are a couple of threads I found on the freeradius-users list which
might be of help to you:
You should use a TLS tunnel with Kerberos auth because the user's
password is sent in the request packet, this explains some of the issues
with doing krb inside the inner tunnel of the server:
http://lists.freeradius.org/pipermail/freeradius-users/2011-February/051625.html
This is a how-to someone wrote up on using kerberos with FreeRADIUS,
sorry I haven't read it to check for accuracy, but it might be helpful.
http://lists.freeradius.org/pipermail/freeradius-users/2012-December/064375.html
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list