solved (was: Re: Active Directory/freeradius/enterasys - combination)
Michael Messner
michael.messner_edv at inode.at
Thu Aug 24 15:10:00 CEST 2006
hey Phil, hey list,
Phil Mayers sagte:
> Michael Messner wrote:
>>> Use the "ldap" module to query AD and add attributes to the reply
>>> dynamically. For example:
>>>
>>> DEFAULT Ldap-Group == "cn=students,dc=domain,dc=com"
>>> Filter-Id = "Enterasys:version=1:mgmt=su:policy=userrole"
>>>
>>> ...or similar.
>>
>> But as I understood I can't use PEAP or MD5 authentication, am I
>> right? So there is nothing with 802.1x security?!?
>
> You can use LDAP just for the group checking. You don't have to use it
> for processing the authentication. So if you've already got 802.1x
> working e.g. using the mschap module and ntlm_auth, you can carry on
> using that.
>
> Easiest is to re-order the modules like so:
>
> authorize {
> preprocess
>
> # let the various auth types get detected and set
> chap
> mschap
> eap
>
> # now process the other stuff
> ldap
> files
> }
>
> ...and remove the "Auth-Type LDAP" section from "authenticate"
>
real great, everything works now! :-)
thanks a lot for your help
ca mIke
More information about the Freeradius-Users
mailing list