FR2.1.3+LDAP+802.1x+PEAP

Caius caiuspolgar at yahoo.com
Wed Nov 11 09:37:13 CET 2009


Hi Ivan,

my problem was that in LDAP i have the passwords save as SSHA, so i cant do 802.1x with EAP/PEAP/mschap

as i dont wanna change my LDAP configuration to store the passwords in clear-text, or to use samba.scheme and to use NT hash. The only option remaining from my view point was to try and distinguish between normal authentication and 802.1x authentication

thats why i came up with this realm stuff, to be able to authenticate 802.1x users in the users file (where i have user/passwords in clear-text) and normal users in LDAP (SSHA)

thats why i was asking if, its possible, and if it functional, or maybe there is another solution then the one provided by Alan (to not use 802.1x) :D

thank you again for you feedback

Best Regards,
Caius Pargar


--- On Wed, 11/11/09, tnt at kalik.net <tnt at kalik.net> wrote:

> From: tnt at kalik.net <tnt at kalik.net>
> Subject: Re: FR2.1.3+LDAP+802.1x+PEAP
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Date: Wednesday, November 11, 2009, 1:06 AM
> > i was thinking at the
> following:
> > to do the normal user authentication in LDAP, based on
> the provided realm,
> > and if no realm present authenticate the users in
> users file.
> > Users which use 802.1x will be saved in clear-text in
> users file
> > and users used for authentication for other stuff,
> will be checked in LDAP
> > (@mydomain.com)
> >
> >
> > or can i switch this around? a user: myuser at dot1x.com
> will be based on the
> > real authenticated in users file for 802.1x and a user
> with no realm will
> > be authenticated in LDAP?
> >
> > please tell me your opinion on this, is it possible?
> 
> Use suffix and configure dot1x.com as local realm in
> proxy.conf:
> 
> realm dot1x.com {
> }
> 
> ... and you don't need multiple entries for the same user.
> Both users file
> and ldap module will use Stripped-User-Name for
> authentication by defauly.
> 
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


      



More information about the Freeradius-Users mailing list