1.0 Overview
You can integrate Novell® eDirectory™ 8.8 or later with FreeRADIUS 1.0.2 onwards to allow wireless authentication for eDirectory users.
If you are new to FreeRADIUS, refer to the FreeRADIUS site for more information.
For more information on eDirectory, refer to the Novell eDirectory 8.8 Administration Guide.
By integrating eDirectory with FreeRADIUS, you can do the following:
-
Use universal password for RADIUS authentication
Universal password provides single login and authentication for eDirectory users. Therefore, the users need not have a separate password for RADIUS and eDirectory authentication.
-
Enforce eDirectory account policies for users
The existing eDirectory policies on the user accounts can still be applied even after integrating with RADIUS. Also, you can make use of the intruder lockout facility of eDirectory by logging the failed logins into eDirectory.
Figure 1-1 Wireless Authentication to FreeRADIUS integrated eDirectory
FreeRADIUS and eDirectory can be on two different machines. For example, you can have an eDirectory LDAP server with NMAS running on Netware, but run FreeRADIUS on Linux without eDirectory on it.
eDirectory users can use any of the following protocols for RADIUS authentication:
-
CHAP
-
EAP-MSCHAP v1 and v2
-
EAP-TLS
-
LEAP
-
MS-CHAP v1 and v2
-
PEAP
For a complete list of protocols and information on them, refer to the FreeRADIUS Features and IETF web site.
IMPORTANT:We recommend that you use SHA-1 or SHA-2 based algorithms and not MD5-based authentication protocols for better security.
To integrate eDirectory with FreeRADIUS, you need to
-
Install and configure FreeRADIUS server.
-
Enable RADIUS authentication for eDirectory users by configuring them using the iManager plug-in for RADIUS.
The information on the above topics are covered in the subsequent chapters.