[Freeipa-users] freeipa radius cisco
John Dennis
jdennis at redhat.com
Fri Jan 18 15:13:21 UTC 2013
On 01/18/2013 09:31 AM, Han Boetes wrote:
> In the users file
> DEFAULT Auth-Type = Kerberos
> Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"
Be careful!
It's almost never a good idea to set the Auth-Type in the user config.
Why? Because normally the server figures out the best Auth-Type to use
for a given Auth-Request based on the contents of the Auth-Request
packet. The contents of the Auth-Request packet depends exclusively on
the configuration of the user's device, something you typically do not
have control over (think of random user trying to connect with unknown
device).
The FR server figures out which Auth-Type to use based on it's
configuration and set of policy rules, all of which you can write.
The problem comes when a user sends an Auth-Request whose contents does
not math the Auth-Type you've forced on them, then things will
completely *fail*.
Using DEFAULT for the Auth-Type is even a more pernicious problem
because you're saying apply this to everyone that lands in the default
category.
There are a few Auth-Type's the server can't figure out on it's own,
kerberos is one of them (because fundamentally it's no different than
pap in terms of what the client sends). There are a number of approaches
one can take to address this issue via policy configuration in the
server, but I'm sorry to say I don't have time to document and test all
those at the moment.
All I'm trying to say is what you've done above will work only in a very
constrained scenario, it is not a general solution. The FreeRADIUS list
is filled with folks attempts to force an Auth-Type in the users file
only to discover their woes.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list