On 04/20/2011 10:23 AM, Alexandros Gougousoudis wrote:
3.1. Certs on all Computer/Workstations and an entry in $RADDB/users of the Computername wirh Authentification-Type = EAP 3.2. Users in my LDAP with crypted Passwords (MD5/crypt) AND Passwords for Samba (NT-Passwords).
Ah, good. If you have NT-Password, PEAP/MS-CHAP should work.
3.3. All Computernames in my LDAP (because I run a Samba-NT4-Domain).
4. Question is:
4.1. Can I configure FR to lookup the Computername upon a request in the LDAP, and if it finds the entry to enter a EAP-TLS authentification, and if not to deny access?
Yes. There are lots of ways to do this, depending on what key you want to use for the lookup (machine account name, mac address, TLS cert subject)
4.2. To authenticate all users of a specific group which are in LDAP with their password which is stored crypted/hashed in LDAP using PEAP?
Yes. You will need to configure FreeRADIUS to bind to LDAP with an account that has permission to read the ntPassword attrbute, but if you do that, it should just work.