FreeRADIUS with PEAP(MSCHAPv2), MySQL and LDAP?

Palmer J.D.F. J.D.F.Palmer at swansea.ac.uk
Wed Jan 18 11:27:08 CET 2006


Hi Phil,

Many thanks for the reply.
I'm sorry the detail was lacking I'll try to explain myself a little better
now.

Firstly, what we do already and why I want to use MySQL...

At the moment we run FR as a RADIUS proxy that proxies requests to a number
of RADIUS servers based on the username.
Presently we use the 'users' file to do this, the users file is built from
our mail tables; amongst other things the users file maps a username to a
home RADIUS server and a VLAN; basically I want to use MySQL to replace the
users file; I don't want to actually authenticate against details in the
MySQL database.

The reason we use the mail tables is that it contains every user and the
respective server that their mail goes to, we use the SMTP server name to
determine which domain a user's RADIUS requests should be sent to.  
We use the Proxy_To_Realm directive in the users file to forward a user's
request to the correct server.

The reason I now want to use a database is because it will give us the
ability to add more user data fields and a database would be more
manageable, as the current users file has 38554 entries and is growing.

Why I want to use LDAP...

All of our user data is held in various MS ADS or Novell NDS directories,
currently we run an IAS machine on each of our AD domains to handle the
proxied requests forwarded by the FR server; my thinking was that it seems a
little pointless to have these IAS boxes if I could use FR to set up the
PEAP tunnels then verify the user's credentials against the appropriate
domain's LDAP server.

I ideally want to use PEAP(MSCHAPv2) though, mainly from a support, but also
from an encryption strength point of view; however it appears that unless
something clever can be done to verify MSCHAPv2 against MS or Novell LDAP it
looks like I may be stuck with the nasty IAS boxes.

I hope that makes some sense. 

Many thanks,
Jezz Palmer.



> -----Original Message-----
> From: freeradius-users-
> bounces+j.d.f.palmer=swansea.ac.uk at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+j.d.f.palmer=swansea.ac.uk at lists.freeradius.org] On Behalf Of Phil
> Mayers
> Sent: 17 January 2006 21:03
> To: FreeRadius users mailing list
> Subject: Re: FreeRADIUS with PEAP(MSCHAPv2), MySQL and LDAP?
> 
> Palmer J.D.F. wrote:
> > Hi,
> >
> >
> >
> > I am currently trying to create a new auth system for our WPA 802.1x
> > WiFi network.
> >
> > Thus far I have the server authenticating using PEAP(MSCHAPv2) against a
> > users file containing a simple test user/pass pair.
> >
> > What I would now like to do is use MySQL to contain user data such as
> > the VLAN to be assigned to that user and which LDAP server their account
> 
> Assuming you know how to make the VLAN assignment work at all, then this
> is trivial.
> 
> Assigning a completely dynamic LDAP server might be a little more tricky.
> 
> If you know what set of LDAP server(s) you want to use in advance, then
> you could do this:
> 
> modules {
>    ldap ldap1 {
>      # config here
>    }
>    ldap ldap2 {
>      # config here
>    }
> }
> 
> authorize {
>    preprocess
>    mysql
>    mschap
>    eap
> 
>    Autz-Type Ldap1 {
>      ldap1
>    }
>    Autz-Type Ldap2 {
>      ldap2
>    }
> }
> 
> The "mysql" module/tables will need to set Autz-Type on the requests, at
> which point the authorize stanza will be run *again* executing the
> conditional sections.
> 
> ...however making this work correctly in the presence of eap/ms-chapv2
> will not be straightforward, and in any event you have the other issue...
> 
> > exists on, then use LDAP to verify the credentials.
> 
> The only "verification" LDAP can do of credentials is to proxy PAP
> requests to LDAP simple binds. You cannot check MS-CHAP "against" an
> LDAP server.
> 
> However using LDAP as a database, as it was intendended, then *if* the
> LDAP server contains either plaintext password or the NT/LM hashes, the
> radius server can read them, and the ldap module is configured to get
> them from LDAP, then FreeRadius can perform the MS-CHAP inside itself.
> 
> >
> > The idea being that a PEAP request comes in, tunnel gets built etc, the
> > user gets looked up in the MySQL database, the credentials are then
> > authenticated against the correct LDAP (or RADIUS) server, then on
> > success an access-accept along with the user's VLAN is passed back to
> > the NAS.
> 
> This seems extremely hard work. Why would you use both MySQL and LDAP?
> 
> >
> >
> >
> > The question is, is it possible for PEAP(MSCHAPv2) and LDAP with MySQL
> > to interact in this way?
> 
> Your question is not precise enough for me to be sure exactly what you
> want.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list