[Freeipa-users] connecting freeipa server with free radius
John Dennis
jdennis at redhat.com
Wed Aug 26 13:32:52 UTC 2009
On 08/26/2009 04:16 AM, Rachid Zarouali wrote:
> Hello Dimitri,
> I'll try to answer your questions the best i can :-)
>
> Basically we plain to use the ldap ipa password.
> at first we want to use radius for authentication only.
>
> i'm not sure about what you call outer/inner methods :(
> the base of the authentication is the project is the ipa ldap
> on which we try to connect a freeradius server which is used to authenticate admin's on router/firewall .....
>
> am i clear ?
If it's just admin access on a router/firewall I don't see a problem at
the moment. You should be able to use PAP on the router/firewall, it
encrypts the plaintext password and sends it to the freeradius server
which decrypts resulting in the plaintext password. The freeradius
server would then be configured to use Kerberos, it uses the plaintext
password and obtains a TGT (i.e. it does a kinit on behalf of the user)
if this is successful the radius authentication is successful. All this
should work "out of the box" for both IPA and FreeRADIUS (although
you'll have to edit the FreeRADIUS config to enable krb5).
We're not thrilled with this solution because the radius server sees a
plaintext password (although it's encrypted during transport). The
security is adequate but not ideal. Safer authentication methods require
us to do more integration work between IPA and FreeRADIUS, which at the
moment is a deferred work item.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list