On Oct 10, 2021, at 12:15 PM, Marco Gaiarin <gaio@lilliput.linux.it> wrote:
I'm not an expert on freeradius, but at work i manage successfully a setup with freeradius binded to an AD domain, successfully autheticate wireless clients with MSCHAPv2.
That's good.
At home i need to extend my wireless coverage (for now, i use an hostapd and a wireless interface in my server), and so i've thinked about using LDAP as a source for auth data, using as AP some OpenWRT/LEDE routers. Yes, i can use WPA/WPA2 personal, but i want to experiment and continue to assign different credential for different MAC addess. ;)
OK.
I've found the basic setup info on:
https://wiki.freeradius.org/modules/Rlm_ldap
and some other info on how add clients to the LDAP on:
https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html#id...
I think you mean adding user accounts to LDAP. But OK...
Also i've found some forum/blog pages around, but all seems to be about freeradius 2, and does not provide clues on why (at least to me).
People write docs, and then don't update them for 10 years. :(
For example, i suppose i have to use WPA2-Enterprise with EAP-TTLS, but i've not found a place that clarify if the password in LDAP have to be 'in clear', or hashed, and how hashed.
It depends...
Someone have some info, or a good link? Thanks.
http://deployingradius.com/documents/protocols/compatibility.html What's safest is to put salted / encrypted passwords into the database, and then use TTLS+PAP. But not everything supports this. Alan DeKok.