I never though about splitting the authentication and authorization between ntlm and ldap. I don't see why that wouldn't work, but I really have no idea. But that would be pretty slick, coupled with some hacked wrt54g's to support the vlans.... a pretty cheap enterprise level solution! -- Chris Liles
-----Original Message----- From: freeradius-users- bounces+chris.liles=air2web.com@lists.freeradius.org [mailto:freeradius- users-bounces+chris.liles=air2web.com@lists.freeradius.org] On Behalf Of Neal S. Garber Sent: Wednesday, June 28, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory
You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly:
DEFAULT NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Students" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN
DEFAULT NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Staff" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN
The doc. states that LDAP only supports PAP. Is this a problem given he said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it doesn't have a clear text password? Or is the approach to use MSCHAPv2 for authentication and then LDAP for authorization??
Thanks for helping me better understand...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html