The following site discusses how to setup FreeRADIUS to authenticate against an LDAP backend (it goes through a tutorial showing how to expose NT hashed passwords in FreeIPA so that FreeRADIUS can read them).
https://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
It also discourages the use of Kerberos key tabs to connect FreeRADIUS to IPA because when using e.g., PAP authentication,
"FreeRADIUS can either read the NTHash and do a comparison (as above),
or it can directly bind to the LDAP server. This means in the direct
bind case, that the transport may not be encrypted due to the keytab."
On the flip side, various FreeRADIUS guides discourage the use of LDAP (e.g., see comments for the default inner-tunnel site, which states:
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
What is the rationale behind the above statement, other than a generic disclaimer?
Can someone please explain, from a security standpoint, the pro's and con's of one approach vs. the other?
I've successfully setup using an LDAP backend (no KRB) and I'm using PEAP for WiFi authentication. I'd like to better understand the security tradeoffs for this scenario.