Howto ignore phase1 identity EAP-PEAP +mschapv2+openldap
Hello freeradius-users, I search a way to ignore phase1 identity and avoid ldap access during phase1 for EAP-PEAP/mschapv2 I try to migrate a freeradius V1 eap + ldap instance to freeradius V2.1.8. (+1200 NAS, many kind of AP mostly Cisco, all sort of supplicants on XPSP2/SP3, MacOSX, unknown cash registers and so on all around the world ...) As I understand starting from V1 configs is always a BAD idea, I started from a default 2.1.8, with sites-enables as default and inner-tunnel, with ldap. authorize must check user has some radiusgroup-name attribute in ldap authenticate user in ldap. According to customer : For phase 1 (outter) : * no check has to be done on phase 1 (ignore outer identity, etc ...) * a huntgroup hotspot is assigned during outer preprocess For phase 2 (inner) : use inner identity to check if user has correct radiusgroup-name attribute use inner identity to validate user/password, mostly using eap-peap with mschapv2 without ntlm_auth from samba installed. I have a basic setup which seems to work (eapol-test compiled from hostapd sources), but generate a lot of logs and ldap access during phase1. It also fails if outter identity is unknown in ldap (anonymous or other fancy id encoutered in customer's freeradius v1 production auth_logs ...) I have eapol_test log and freeradius -X available. Would you have some guideline to achieve this ? Best regards Fred
Fred MAISON wrote:
Hello freeradius-users, I search a way to ignore phase1 identity and avoid ldap access during phase1 for EAP-PEAP/mschapv2
See raddb/sites-enabled/inner-tunnel
I have a basic setup which seems to work (eapol-test compiled from hostapd sources), but generate a lot of logs and ldap access during phase1.
Because you configured it to do that. Fix it so that the LDAP lookups happen only in the inner tunnel.
It also fails if outter identity is unknown in ldap (anonymous or other fancy id encoutered in customer's freeradius v1 production auth_logs ...)
Because you configured it to do LDAP lookups during tunnel setup. Why? Alan DeKok.
participants (2)
-
Alan DeKok -
Fred MAISON