Re: windowsXP+LDAP+freeradius
Hai, Thanks for your reply. I was trying to use PAM authentication with freeradius for Win XP client (PEAP). I was getting error in the tls section. I posted to freeradius userlist. I got the reply as below. Is this right?. If not, Can I use LDAP+PEAP+freeradius. ============================================================================================================= You cannot use PAM to answer PEAP/MS-CHAP requests. You must either have the plaintext password for the user, the NT or LM hashes for their password, or access to an NT domain controller and use the "ntlm_auth" helper in the mschap module. =============================================================================================================
I have Link sys wireless router, windows XP clients, freeradius and LDAP server (Linux). I want to make the user authentication for the windows XP clients against freeradius to connect to Link sys router. I have all the users in LDAP. The LDAP server is set as user database for freeradius sever. Is this possible?. If possible, can you please give me the idea how to do this.
Perfectly fine. Take a look at the ldap { } section in radiusd.conf (it's pretty much self explanatory), and enable ldap in authorize { } and authenticate { }. For wireless, you'll also need at least a server certificate, a script for generating one is in the scripts/ subdirectory of freeradius. Use that certificate for the eap.conf configuration, where you will have to enable at least the tls { } part, and either peap or ttls, depending on what supplicant you use on the Win XP side. The built-in supplicant (not recommended, but working) is using peap. Greetings, Stefan Winter
Thanks & Regards, Muthu.
Hello,
I was trying to use PAM authentication with freeradius for Win XP client (PEAP). I was getting error in the tls section. I posted to freeradius userlist. I got the reply as below. Is this right?. If not, Can I use LDAP+PEAP+freeradius.
Yes, the info was right. But _still_, your chances are very good that you can use LDAP: your LDAP server needs to store the user passwords in clear text and allow your LDAP admin user to retrieve them. This is a common scheme in most LDAP instances, the notable exception being ActiveDirectory. But even with ActiveDirectory you could do PEAP, it would just be a little m,ore complicated than I outlined below (ntlm_auth, as the text you quoted suggested). Greetings, Stefan Winter
================================== You cannot use PAM to answer PEAP/MS-CHAP requests. You must either have the plaintext password for the user, the NT or LM hashes for their password, or access to an NT domain controller and use the "ntlm_auth" helper in the mschap module.
===========================================================================
Greetings -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Muthu <cmuthu@naturesoft.net> wrote:
I was trying to use PAM authentication with freeradius for Win XP client (PEAP).
PAM works only for clear-text passwords. I'll update the compatibility matrix on my web site. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Muthu -
Stefan Winter