As I mentioned, I haven't set up OTRS with RADIUS. I will only be able to
tell you what I know about Network Policy Server.
Any other RADIUS server implementations ... I don't know how to answer the
question.
The way I work NPS:
In the Client section, I create an arbitrary friendly name. Remember what
it is
I include the IP address of the device asking for the request
I create a shared secret (remember what it is)
and I make sure Unencrypted is checked on the authentication methods
(already you can see a warning herein.)
In the Policy section:
I make sure that the Client Friendly name is matched (optional: and that
group membership applies).
For Config.pm:
# This is example configuration to auth. agents against a radius server
$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::Radius';
$Self->{'Customer::AuthModule::Radius::Host'} = 'radiushost'; #the
server providing NPS
$Self->{'Customer::AuthModule::Radius::Password'} = 'radiussecret';
#The shared secret from above
In theory, this should be adequate. If LDAP authentication works for user
cred sign on, Radius should as well, for the same credentials.
Again, this is not SSO, this is only using RADIUS for authentication.
On Tue, May 13, 2014 at 11:59 AM, Darshak Modi(darshak.modi) <
darshak.m...@elitecore.com> wrote:
> HI Gerald,
>
> Sorry I jumped to this topic.
> I would be interested to use RADIUS for such purpose.
> I tried earlier but not sure how / which field windows AD uses for
> password with radius. I guess we need to make logical mapping of password
> field.
> In Radius the request comes in User-Password/CHAP Password and how to
> make use with AD not sure.
>
> My radius does search but it results in saying password failures. ( LDAP
> works fine though ).
>
>
>
>
>
> On 5/13/2014 9:23 PM, Gerald Young wrote:
>
> Hi, David,
>
> Since I'm constantly securing Cisco VPN's via RADIUS with Windows
> Network Policy Server, I have a recipe that works quite well for that
> purpose, making the VPN logins follow desktop passwords and using AD group
> membership to address allowed VPN users.
>
> I don't mind providing such information, if you're interested. However,
> without that information, RADIUS is indeed not for the faint of heart.
>
>
>
>
> On Tue, May 13, 2014 at 11:44 AM, David Boyes <dbo...@sinenomine.net>wrote:
>
>>
>>
>> I notice the link you provided uses RADIUS for authentication instead of
>> the others I pointed to that use Kerberos. Would you say that this is a
>> simpler and more supported way of handling the SSO issue?
>>
>>
>>
>> I’m not Gerald, but I’ll speak up: No, unless you have another REALLY
>> compelling reason to use RADIUS (like a dialup terminal server that uses it
>> for AAA), it’s not the direction you want to go. RADIUS is REALLY
>> complicated to get working right, and it’s increasingly rare. Kerberos/AD
>> (AD is just a integrated Kerberos/LDAP server) is the way to go.
>>
>> ---------------------------------------------------------------------
>> OTRS mailing list: otrs - Webpage: http://otrs.org/
>> Archive: http://lists.otrs.org/pipermail/otrs
>> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>>
>
>
>
> ---------------------------------------------------------------------
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>
>
>
>
> ---------------------------------------------------------------------
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
