On 11/01/2017 17:05, Staiger, Moritz (RRZE) wrote:
we are running freeradius 3.0.12 which is authenticating against an openldap server with EAP PEAP MSCHAPv2 When you say "is authenticating against an openldap server", I wonder if you mean "is reading a cleartext password or NTLM password hash out of an openldap server"
When people say "authenticating against LDAP" they usually mean "using LDAP as a password oracle by doing an LDAP BIND with the user-supplied password". But if you are using MSCHAPv2 this is impossible, since you don't receive the cleartext password.
In future we want to enable VLAN assignment via LDAP so we want to use LDAP group membership comparison and combine it with Packet-Src-IP-Address checking.
Users from LDAP group „Admins“ should be assigned to VLAN 10 (management) Users from LDAP group „Operators“ should be assigned to VLAN 20 (operator) Users from other LDAP groups „Group-X“ should be assigned to userspecific VLAN which is represented in the LDAP attribute „radiusTunnelPrivateGroupId“. This might help as a starting point. http://lists.freeradius.org/pipermail/freeradius-users/2016-December/085977....