Active Directory/freeradius/enterasys - combination
Phil Mayers
p.mayers at imperial.ac.uk
Thu Aug 24 11:50:58 CEST 2006
Michael Messner wrote:
>> Use the "ldap" module to query AD and add attributes to the reply
>> dynamically. For example:
>>
>> DEFAULT Ldap-Group == "cn=students,dc=domain,dc=com"
>> Filter-Id = "Enterasys:version=1:mgmt=su:policy=userrole"
>>
>> ...or similar.
>
> thanks for your help, now I have configured the Ldap connection to AD
> with the Ldap Groups and yea it works! :-)
>
> But as I understood I can't use PEAP or MD5 authentication, am I right?
> So there is nothing with 802.1x security?!?
> If so, are there any other possible solutions/workarounds?
>
> I hope somebody can give me any help, information, links or something else.
You can use LDAP just for the group checking. You don't have to use it
for processing the authentication. So if you've already got 802.1x
working e.g. using the mschap module and ntlm_auth, you can carry on
using that.
*If* you're having problems, this might be because the "ldap" module is
the first one to process the request and it sets Auth-Type to LDAP
because it thinks it is authoritative.
Easiest is to re-order the modules like so:
authorize {
preprocess
# let the various auth types get detected and set
chap
mschap
eap
# now process the other stuff
ldap
files
}
...and remove the "Auth-Type LDAP" section from "authenticate"
Alternatively, the ldap module has a "set_auth_type" option - set it to
"no" and it will never override the auth-type and thus
More information about the Freeradius-Users
mailing list