Active Directory/freeradius/enterasys - combination

Phil Mayers p.mayers at
Thu Aug 24 11:50:58 CEST 2006

Michael Messner wrote:
>> Use the "ldap" module to query AD and add attributes to the reply
>> dynamically. For example:
>> DEFAULT    Ldap-Group == "cn=students,dc=domain,dc=com"
>>     Filter-Id = "Enterasys:version=1:mgmt=su:policy=userrole"
>> ...or similar.
> thanks for your help, now I have configured the Ldap connection to AD
> with the Ldap Groups and yea it works! :-)
> But as I understood I can't use PEAP or MD5 authentication, am I right?
> So there is nothing with 802.1x security?!?
> If so, are there any other possible solutions/workarounds?
> I hope somebody can give me any help, information, links or something else.

You can use LDAP just for the group checking. You don't have to use it 
for processing the authentication. So if you've already got 802.1x 
working e.g. using the mschap module and ntlm_auth, you can carry on 
using that.

*If* you're having problems, this might be because the "ldap" module is 
the first one to process the request and it sets Auth-Type to LDAP 
because it thinks it is authoritative.

Easiest is to re-order the modules like so:

authorize {

   # let the various auth types get detected and set

   # now process the other stuff

...and remove the "Auth-Type LDAP" section from "authenticate"

Alternatively, the ldap module has a "set_auth_type" option - set it to 
"no" and it will never override the auth-type and thus

More information about the Freeradius-Users mailing list