FreeRADIUS with PEAP(MSCHAPv2), MySQL and LDAP?

Phil Mayers p.mayers at imperial.ac.uk
Tue Jan 17 22:03:16 CET 2006 

Palmer J.D.F. wrote:
> Hi,
> 
>  
> 
> I am currently trying to create a new auth system for our WPA 802.1x 
> WiFi network.
> 
> Thus far I have the server authenticating using PEAP(MSCHAPv2) against a 
> users file containing a simple test user/pass pair.
> 
> What I would now like to do is use MySQL to contain user data such as 
> the VLAN to be assigned to that user and which LDAP server their account 

Assuming you know how to make the VLAN assignment work at all, then this 
is trivial.

Assigning a completely dynamic LDAP server might be a little more tricky.

If you know what set of LDAP server(s) you want to use in advance, then 
you could do this:

modules {
   ldap ldap1 {
     # config here
   }
   ldap ldap2 {
     # config here
   }
}

authorize {
   preprocess
   mysql
   mschap
   eap

   Autz-Type Ldap1 {
     ldap1
   }
   Autz-Type Ldap2 {
     ldap2
   }
}

The "mysql" module/tables will need to set Autz-Type on the requests, at 
which point the authorize stanza will be run *again* executing the 
conditional sections.

...however making this work correctly in the presence of eap/ms-chapv2 
will not be straightforward, and in any event you have the other issue...

> exists on, then use LDAP to verify the credentials.

The only "verification" LDAP can do of credentials is to proxy PAP 
requests to LDAP simple binds. You cannot check MS-CHAP "against" an 
LDAP server.

However using LDAP as a database, as it was intendended, then *if* the 
LDAP server contains either plaintext password or the NT/LM hashes, the 
radius server can read them, and the ldap module is configured to get 
them from LDAP, then FreeRadius can perform the MS-CHAP inside itself.

> 
> The idea being that a PEAP request comes in, tunnel gets built etc, the 
> user gets looked up in the MySQL database, the credentials are then 
> authenticated against the correct LDAP (or RADIUS) server, then on 
> success an access-accept along with the user's VLAN is passed back to 
> the NAS.

This seems extremely hard work. Why would you use both MySQL and LDAP?

> 
>  
> 
> The question is, is it possible for PEAP(MSCHAPv2) and LDAP with MySQL 
> to interact in this way?

Your question is not precise enough for me to be sure exactly what you want.

More information about the Freeradius-Users mailing list