On 04/20/2011 11:37 AM, Alexandros Gougousoudis wrote:
Hi Phil,
Phil Mayers schrieb:
Ah, good. If you have NT-Password, PEAP/MS-CHAP should work. Great! Yes. There are lots of ways to do this, depending on what key you want to use for the lookup (machine account name, mac address, TLS cert subject)
Thanks, I'll start to do this. Machine account name should work for me.
Any hints, or how to do this? Is there somewhere an example availlable to start with?
Well, as I said - there are lots of ways of doing this. The simplest possible way is to configure the LDAP module appropriately. Since you're doing both user- and host-based auth, you will need to make sure that the filter is correct: raddb/modules/ldap: ... # the mschap:User-Name will turn: # # domain\user -> user # host/name.domain -> name$ filter = "(samaccountname=%{mschap:User-Name})" ...and then you just call the "ldap" module in your "authorize" section e.g. raddb/sites-enabled/default: authorize { ... eap { ok = return } ldap if (notfound) { reject } }
I'am new to FR 2.1 and it's hard to make even my old config work on the test-maschine.
Unless you're a FreeRADIUS expert, you're going to find that hard. Start with a clean slate. Put the config into version control. Make small changes and test, then commit to version control when each change is done. Build your config up that way.