ntlm_auth for PEAP with rlm_perl

Habegger Lukas, ERZ-AZD-AIL lukas.habegger at erz.be.ch
Fri Feb 16 10:50:20 CET 2007


Is it possible to do the ntlm_auth authorization used for PEAP with a perl-script over rlm_perl?

And if yes how?



-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+lukas.habegger=erz.be.ch at lists.freeradius.org [mailto:freeradius-users-bounces+lukas.habegger=erz.be.ch at lists.freeradius.org] Im Auftrag von A.L.M.Buxey at lboro.ac.uk
Gesendet: Donnerstag, 15. Februar 2007 16:00
An: scott at renshawauto.com; FreeRadius users mailing list
Betreff: Re: Simple security

> Thanks Jeremy.
> I've been doing various searches for practical examples of 802.1x in a LAN setting and haven't found anything yet.  Have you?

it all depends on what kit you've got, both in the network space and in the server architecture.

eg with decent Cisco or HP switches you can simply enable dot1X on each switch interface and configure the switch to RADIUS authenticate eg against FreeRADIUS.  you would need to install EAP-TLS certs on each machine - or configure PEAP etc v's an AD for auth. thats hardly 'seamless'
but no network access control is seamless to users in reality.

alternatively. how 'secure' does this have to be? you could, eg use MAC address authentication.
eg use dot1x with MAC auth...and then also do the same for DHCP. going this was you could use VMPS on the CISCO kit - unregistered machine live on their own VLAN devoid of anything - execpt maybe an authentication gateway to register their systems.

or, as a final option, default VLAN on the switch gives people only a captive portal. once they have registered (or if they are already known - via MAC) a quick SNMP of their switch port sets their vlan to the correct working one. this can be acheived with home-brew code OR via solutions such as campus manager.

balance up the security requirements v's the cost and implementation timeframe.  for a small setup, EAP-TLS certs with real dot1x would be my personal way to go.  you've just then got the headache of those network devices that dont do dot1X  - eg network printers/scanners, voip handsets etc - for those you'd have to secure the network socket and cabling :-|

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list