Combining EAP, MSCHAP and LDAP
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Dec 9 10:14:37 CET 2013
> I followed a couple of online guides and have had FreeRadius successfully authenticate users against AD, however I then found something saying if I wanted to check groups I would have to use LDAP.
>
> Following the information in the Dirk van der Walt book, it states that you can bind to LDAP as a user but are limited to PAP authentication or you can read the userPassword attribute which must be plain text if MSCHAP is needed. Neither sounds suitable for what I need.
Or NT-Password.
> Is it possible for FreeRadius to use EAP, MSCHAP, check a LDAP attribute and an encrypted password?
MSCHAPv2 will work with the password in cleartext, or hashed as an NT-Password (MD4).
> As the password is encrypted and of little use, our LDAP expert suggested that we bind using a system account to check the account exists and has rights for wireless (I have this bit working), then to authenticate a bind is made as the user. Does this sound reasonable?
No. MSCHAPv2 doesn't provide the cleartext password, so you will not be able to bind.
> Would binding to the AD server as an LDAP server offer any better avenue?
No.
> As this is currently a proof-of-concept lab exercise, we do not want to make any changes to our existing infrastructure if possible. If that is required, giving users permission to see their wireless attribute in LDAP seems like the least painful.
Best bet is to use your LDAP directory for authorisation, and your AD server for authentication. There are quite a few guides on setting up AD with FreeRADIUS.
The LDAP module supports an 'access' attribute, and will allow you to do group lookups.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131209/7ebb767a/attachment.pgp>
More information about the Freeradius-Users
mailing list