Howto ignore phase1 identity EAP-PEAP +mschapv2+openldap

Fred MAISON fred.maison at gmail.com
Fri Mar 26 11:33:25 CET 2010


Hello freeradius-users,
I search a way to ignore phase1 identity and avoid ldap access during
phase1 for EAP-PEAP/mschapv2

I try to migrate a freeradius V1 eap + ldap instance to freeradius
V2.1.8. (+1200 NAS, many kind of AP mostly Cisco, all sort of
supplicants on XPSP2/SP3, MacOSX, unknown cash registers and so on all
around the world ...)

As I understand starting from V1 configs is always a BAD idea, I started
from a default 2.1.8, with sites-enables as default and inner-tunnel,
with ldap.
authorize must check user has some radiusgroup-name attribute in ldap
authenticate user in ldap.

According to customer :
For phase 1 (outter) :
* no check has to be done on phase 1 (ignore outer identity, etc ...)
* a huntgroup hotspot is assigned during outer preprocess
For phase 2 (inner) :
use inner identity to check if user has correct radiusgroup-name
attribute
use inner identity to validate user/password, mostly using eap-peap with
mschapv2 without ntlm_auth from samba installed.

I have a basic setup which seems to work (eapol-test compiled from
hostapd sources), but generate a lot of logs and ldap access during
phase1. It also fails if outter identity is unknown in ldap (anonymous
or other fancy id encoutered in customer's freeradius v1 production
auth_logs ...)

I have eapol_test log and freeradius -X available.

Would you have some guideline to achieve this ?

Best regards
Fred





More information about the Freeradius-Users mailing list