freeradius -peap ad/ldap

Thu Mar 15 17:43:26 CET 2007

On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira <jvieira at clarku.edu> 
wrote:
>Alan DeKok wrote:
>> joe vieira wrote:
>>   
>>> i have eap-peap authentication working against our ad domain.  
>peachy 
>>> keen.  what i would like to be able to do is, in our openldap 
>>> environment, store attributes for retrieval by radius, cisco 
>stuff/ 
>>> etc... i assume the way to do this would be to use the 
>authorization  
>>> sections, but if you add ldap to that then it automatically 
>adds ldap 
>>> authentication...which i don't want..
>>>     
>>
>>   Upgrade to a newer version of the server, which doesn't do 
>that.
>>   
>which versions would that be?

OK, I think I understand what you're asking. If you want to use LDAP
for authorization ONLY, and something else for authentication, you
could put an entry like this in your 'users' file:

DEFAULT     <check_items (ex: Realm == 'your_domain')>
            Autz-Type := <your_ldap_instance (ex: ldap)>,
            Auth-Type := <module_instance_for_authentication>

Setting Autz-Type forces a certain type of authorization. Setting
Auth-Type forces a certain type of authentication. Doing this in a
DEFAULT entry causes ALL users that have Fall-Through set to yes to
be passed through the specified authorization & authentication 
method.
This could also be set on a per-user basis by changing DEFAULT to 
the
a given user's username.

>- 
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

--
Click here for free information on nursing jobs, up to $150/hour
http://tagline.hushmail.com/fc/CAaCXv1Rz1mAIkYFfrrMgKeHIMrG3Yzo/