[Freeipa-users] freeipa radius cisco

[John Dennis]

On 01/18/2013 09:31 AM, Han Boetes wrote:
> In the users file
> DEFAULT Auth-Type = Kerberos
>          Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"

Be careful!

It's almost never a good idea to set the Auth-Type in the user config. 
Why? Because normally the server figures out the best Auth-Type to use 
for a given Auth-Request based on the contents of the Auth-Request 
packet. The contents of the Auth-Request packet depends exclusively on 
the configuration of the user's device, something you typically do not 
have control over (think of random user trying to connect with unknown 
device).

The FR server figures out which Auth-Type to use based on it's 
configuration and set of policy rules, all of which you can write.

The problem comes when a user sends an Auth-Request whose contents does 
not math the Auth-Type you've forced on them, then things will 
completely *fail*.

Using DEFAULT for the Auth-Type is even a more pernicious problem 
because you're saying apply this to everyone that lands in the default 
category.

There are a few Auth-Type's the server can't figure out on it's own, 
kerberos is one of them (because fundamentally it's no different than 
pap in terms of what the client sends). There are a number of approaches 
one can take to address this issue via policy configuration in the 
server, but I'm sorry to say I don't have time to document and test all 
those at the moment.

All I'm trying to say is what you've done above will work only in a very 
constrained scenario, it is not a general solution. The FreeRADIUS list 
is filled with folks attempts to force an Auth-Type in the users file 
only to discover their woes.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/