PEAP MSCHAP2 Freeradius Active Directory

fvt3 fvt3 at yahoo.com
Thu Jun 29 03:52:45 CEST 2006


Are you suggesting that do not use MSCHAP module and
use ldap module to do group lookup?  If you using LDAP
module, that would mean stripping the user name
because the user name will be in this format
"domain\\username".  Then in radius config file I
would have 
ldap student {
}

ldap staff {

}


user file
DEFAULT NAS-Port-Type ==
"Wireless-802.11",Autz-type=LDAP1, Auth-Type := MSCHAP
> Ldap-Group == "Students"
> > > Tunnel-Medium-Type = IEEE-802,
> > > Tunnel-Private-Group-Id = 10,
> > > Tunnel-Type = VLAN

DEFAULT NAS-Port-Type ==
"Wireless-802.11",Autz-type=LDAP2, Auth-Type := MSCHAP
> Ldap-Group == "Staff"
> > > Tunnel-Medium-Type = IEEE-802,
> > > Tunnel-Private-Group-Id = 20,
> > > Tunnel-Type = VLAN


Does this config sound right or am I off?  Thanks for
the suggestion..


--- Chris Liles <Chris.Liles at air2web.com> wrote:

> I never though about splitting the authentication
> and authorization between ntlm and ldap. 
> 
> I don't see why that wouldn't work, but I really
> have no idea.
> 
> But that would be pretty slick, coupled with some
> hacked wrt54g's to support the vlans.... a pretty
> cheap enterprise level solution!
> 
> --
> Chris Liles
> 
> 
> > -----Original Message-----
> > From: freeradius-users-
> >
> bounces+chris.liles=air2web.com at lists.freeradius.org
> [mailto:freeradius-
> >
>
users-bounces+chris.liles=air2web.com at lists.freeradius.org]
> On Behalf Of
> > Neal S. Garber
> > Sent: Wednesday, June 28, 2006 4:44 PM
> > To: FreeRadius users mailing list
> > Subject: Re: PEAP MSCHAP2 Freeradius Active
> Directory
> > 
> > > You will need to configure the LDAP module to
> fetch groups from ADs LDAP
> > > server. See copious documentation or posts to
> the list. Broadly, once
> > the
> > > LDAP module is setup correctly:
> > >
> > > DEFAULT NAS-Port-Type == "Wireless-802.11",
> Ldap-Group == "Students"
> > > Tunnel-Medium-Type = IEEE-802,
> > > Tunnel-Private-Group-Id = 10,
> > > Tunnel-Type = VLAN
> > >
> > > DEFAULT NAS-Port-Type == "Wireless-802.11",
> Ldap-Group == "Staff"
> > > Tunnel-Medium-Type = IEEE-802,
> > > Tunnel-Private-Group-Id = 20,
> > > Tunnel-Type = VLAN
> > 
> > The doc. states that LDAP only supports PAP.  Is
> this a problem given he
> > said he's using PEAP/MSCHAPv2?  How would LDAP do
> the authentication if it
> > doesn't have a clear text password?  Or is the
> approach to use MSCHAPv2
> > for
> > authentication and then LDAP for authorization??
> > 
> > Thanks for helping me better understand...
> > 
> > 
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the Freeradius-Users mailing list