PEAP LDAP confusion

Thibault Le Meur Thibault.LeMeur at
Tue Jul 18 20:51:20 CEST 2006

> Firstly, I am attempting to get XP/OSX clients to connect to a 802.1x 
> WLAN provided by a cisco wlan controller. This is currently backed by 
> ACS and works, but i'd like to use FreeRADIUS is possible, with half 
> my users in LDAP and half in MySQL.
> The setup uses PEAP, however am I correct in thinking that the RADIUS 
> server never touches any TLS components. The TLS tunnel is between 
> the WLAN controller and the client right?

Nope, the TLS tunnel starts at the client and ends at the Radius 
server: that's why the radius server needs a certificate (see the 
eap.conf file) and the client needs to check the radius server's 

> Furthermore, I know I cannot use ldap authentication (binding) as a 
> result of the eap conversation,

True because PEAP implies a ms-chapv2 exchange that requires the 
knowledge of the NT-Hash (ldap used as an authorization backend and not 
an authentication module)

> however can I store an NT-Hash in LDAP/MySQL for the mschapv2 module 
> to pick up and use? I'd prefer not to store clear text at all if 
> possible...

Yes for Ldap (see that maps the radius internal attribute 
NT-Password to sambaNTPassword by default.

> I have everything I need compiled and installed, but I'd like to know 
> whether or not I can achieve my goal before wasting a lot of my time. 
> Any pointers are thus greatly appreciated.

see doc/rlm_ldap configuration file
and the ldap section of radiusd.conf


More information about the Freeradius-Users mailing list