PEAP MSCHAP2 Freeradius Active Directory

Chris Liles Chris.Liles at air2web.com
Wed Jun 28 22:37:32 CEST 2006


I thought the ldap module wouldn't work with PEAP and AD unless you store the LM and NT password hashes for each user in AD?! Because you can't get the cleartext password back from AD...

I don't think that extending AD to store this info would be difficult, I just think having those hashes updated when I user changes his/her password would be a pain, but I don't know.



--
Chris Liles


> -----Original Message-----
> From: freeradius-users-
> bounces+chris.liles=air2web.com at lists.freeradius.org [mailto:freeradius-
> users-bounces+chris.liles=air2web.com at lists.freeradius.org] On Behalf Of
> Phil Mayers
> Sent: Wednesday, June 28, 2006 4:20 PM
> To: FreeRadius users mailing list
> Subject: Re: PEAP MSCHAP2 Freeradius Active Directory
> 
> fvt3 wrote:
> > Hi,
> >
> > I have a question on configuring freeradius to return
> > vlan attributes base on a user group membership or ou.
> >  I have a windows client xp sp2 using peap mschap2 to
> > authenticate off radius.  How do I set radius to
> > return a vlan id of 10 if the user belongs to the
> > student group and if the user belongs to the teacher
> > group the user get a vlan id of 20?  I have freeradius
> > to authenticate of Active Directory but its only
> > returning one vlan..
> >
> > DEFAULT   NAS-Port-Type == "Wireless-802.11"
> >           Tunnel-Medium-Type = IEEE-802,
> >           Tunnel-Private-Group-Id = 10,
> >           Tunnel-Type = VLAN
> >
> > Do I have add something else in the user file?
> 
> You will need to configure the LDAP module to fetch groups from ADs LDAP
> server. See copious documentation or posts to the list. Broadly, once
> the LDAP module is setup correctly:
> 
> DEFAULT	NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Students"
> 	Tunnel-Medium-Type = IEEE-802,
> 	Tunnel-Private-Group-Id = 10,
> 	Tunnel-Type = VLAN
> 
> DEFAULT	NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Staff"
> 	Tunnel-Medium-Type = IEEE-802,
> 	Tunnel-Private-Group-Id = 20,
> 	Tunnel-Type = VLAN
> 
> Alternatively if you fill AD in from some external system e.g. SQL
> database you can pull from there, or dump the groups to a file like so:
> 
> username:groupname
> 
> ...and use the (poorly-named) "passwd" module to add the group.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list