Hi Ivan, my problem was that in LDAP i have the passwords save as SSHA, so i cant do 802.1x with EAP/PEAP/mschap as i dont wanna change my LDAP configuration to store the passwords in clear-text, or to use samba.scheme and to use NT hash. The only option remaining from my view point was to try and distinguish between normal authentication and 802.1x authentication thats why i came up with this realm stuff, to be able to authenticate 802.1x users in the users file (where i have user/passwords in clear-text) and normal users in LDAP (SSHA) thats why i was asking if, its possible, and if it functional, or maybe there is another solution then the one provided by Alan (to not use 802.1x) :D thank you again for you feedback Best Regards, Caius Pargar --- On Wed, 11/11/09, tnt@kalik.net <tnt@kalik.net> wrote:
From: tnt@kalik.net <tnt@kalik.net> Subject: Re: FR2.1.3+LDAP+802.1x+PEAP To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Wednesday, November 11, 2009, 1:06 AM
i was thinking at the following: to do the normal user authentication in LDAP, based on the provided realm, and if no realm present authenticate the users in users file. Users which use 802.1x will be saved in clear-text in users file and users used for authentication for other stuff, will be checked in LDAP (@mydomain.com)
or can i switch this around? a user: myuser@dot1x.com will be based on the real authenticated in users file for 802.1x and a user with no realm will be authenticated in LDAP?
please tell me your opinion on this, is it possible?
Use suffix and configure dot1x.com as local realm in proxy.conf:
realm dot1x.com { }
... and you don't need multiple entries for the same user. Both users file and ldap module will use Stripped-User-Name for authentication by defauly.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html