[prev in list] [next in list] [prev in thread] [next in thread]
List: novell
Subject: Re: [ngw] OT - radius to edir
From: Peter Van Lone <petervl () gmail ! com>
Date: 2009-08-25 18:26:41
Message-ID: 68b791330908251126r647d0a13gda25ed6624e4ec8e () mail ! gmail ! com
[Download RAW message or body]
It just kind of boggles my mind that something so simple has been
given such backhanded thought/effort for so many years. I guess when
you believe that all of your important customers are big time
enterprises stocked to the gills with IT talent and are likely to
"roll their own" anyway ... it doesn't matter.
A simple little module, designed to talk to edir and provide basic
radius services ...
sigh
On Tue, Aug 25, 2009 at 11:53 AM, Keith Larson<klarson@k12group.net> wrote:
> it is entirely possible that i did something wrong with the ldap setup. i'm
> glad though because i got something way better. it is very cool.
>
>>>> Peter Van Lone <petervl@gmail.com> 8/25/2009 12:01 PM >>>
> wow -- sounds like a pretty cool solution, but ...
>
> really, seriously, you could find no simple/secure way to configure
> RADIUS against eDirectory?
>
> Sigh ... there has GOT to be a simple way to do this, no? It is
> fall-off-a-log easy to do with AD, of course -- why oh why oh why
> would it be so frelling difficult to do with edir?
>
> P
>
>
> On Tue, Aug 25, 2009 at 10:53 AM, Keith Larson<klarson@k12group.net> wrote:
>> This has been widely discussed on the education list that novell hosts.
>>
>> I worked on a project last year where we wanted this same thing. After a
>> significant effort we discovered all usernames and passwords appearing in
>> clear text in our radius logs so we aborted that effort. We did make it
>> work though.
>>
>> I regrouped and found what I consider to be a better method. It was
>> rather
>> complex to setup, but the end result was fantastic and I'm working on
>> installing it at more of the schools that I support.
>>
>> We use the zen imaging process to automatically name computers. This
>> guarantees unique names and simplifies it. During our autoname script, we
>> spit off a file that includes this name to our FreeRadius server that is
>> also running OpenSSL. The certificate server is running a script to look
>> for incoming certificate requests. When it sees one, it creates a
>> certificate and transfers it to a OES2 server. I have a NAL object that
>> runs and uses the computername, so each computer will only find the
>> certificate that was uniquely generated for it. It imports that
>> certificate
>> and then uses it for EAP/TLS authentication to radius. Each workstation
>> has
>> its own automatically generated certificate. Each one could be booted off
>> if there are problems.
>>
>> It is completely hands off now.
>>
>>
>>
>> Keith Larson
>> Franklin Computer Services - K12 Group
>> (614) 561-4887
>> klarson@k12group.net
>>
>>
>>
>>
>>
>>
>>>>> Peter Van Lone <petervl@gmail.com> 8/25/2009 11:41 AM >>>
>> Hello,
>>
>> I have a few questions regarding what services and/or products can
>> allow authentication for users via RADIUS to Novell Edirectory.
>>
>> I have done some looking and the solution I have come up with is Free
>> RADIUS to be used in combination with the iManager RADIUS plugin --
>> but I am not at all sure that Free RADIUS is what works with iManager
>> and the RADIUS plugin -- is this the correct combination? Is this the
>> best/easiest way to do this?
>>
>> The goal is to authenticate wireless users using their Edirectory
>> credentials.
>>
>> Anyone done this, and have suggestions or stories to tell about what
>> does or does not work?
>>
>>
>>
>>
>>
>> ------------------------------------------------------------
>> "I like flaws and feel more comfortable around people who have them. I
>> myself am made entirely of flaws, stitched together with good
>> intentions." Augusten Burroughs
>>
>> http://www.the-brights.net
>> http://xkcd.com/167
>>
>> --
>> Visit http://www.ngwlist.com for help unsubscribing
>>
>>
>
> --
> Visit http://www.ngwlist.com for help unsubscribing
>
>
_______________________________________________
Novell mailing list
Novell@netlab1.oucs.ox.ac.uk
http://netlab1.usu.edu/mailman/listinfo/novell
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic