PEAP LDAP confusion
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Tue Jul 18 20:51:20 CEST 2006
> Firstly, I am attempting to get XP/OSX clients to connect to a 802.1x
> WLAN provided by a cisco wlan controller. This is currently backed by
> ACS and works, but i'd like to use FreeRADIUS is possible, with half
> my users in LDAP and half in MySQL.
> The setup uses PEAP, however am I correct in thinking that the RADIUS
> server never touches any TLS components. The TLS tunnel is between
> the WLAN controller and the client right?
Nope, the TLS tunnel starts at the client and ends at the Radius
server: that's why the radius server needs a certificate (see the
eap.conf file) and the client needs to check the radius server's
> Furthermore, I know I cannot use ldap authentication (binding) as a
> result of the eap conversation,
True because PEAP implies a ms-chapv2 exchange that requires the
knowledge of the NT-Hash (ldap used as an authorization backend and not
an authentication module)
> however can I store an NT-Hash in LDAP/MySQL for the mschapv2 module
> to pick up and use? I'd prefer not to store clear text at all if
Yes for Ldap (see ldapattr.map) that maps the radius internal attribute
NT-Password to sambaNTPassword by default.
> I have everything I need compiled and installed, but I'd like to know
> whether or not I can achieve my goal before wasting a lot of my time.
> Any pointers are thus greatly appreciated.
ldapattr.map configuration file
and the ldap section of radiusd.conf
More information about the Freeradius-Users