FR2.1.3+LDAP+802.1x+PEAP

Alan DeKok aland at deployingradius.com
Wed Nov 11 10:32:43 CET 2009


Caius wrote:
> regarding your tips:
> a) i dont wanna do, maybe if i have no other choice, ill have 2 password attributes SSHA+NTLM, but its a clear no to clear-text, and a maybe to NT hash

  NTLM is largely a version of MSCHAP for Active Directory.

  If you want to do PEAP authentication, you need clear-text passwords,
or NT hashes.

> b)  need it, so not gonna happen 
> 
> so, as i need to proceed further with my investigation, what are my options really? :D
> 
> i was thinking at the following:
> to do the normal user authentication in LDAP, based on the provided realm, and if no realm present authenticate the users in users file.
> Users which use 802.1x will be saved in clear-text in users file
> and users used for authentication for other stuff, will be checked in LDAP (@mydomain.com)
> 
> 
> or can i switch this around? a user: myuser at dot1x.com will be based on the real authenticated in users file for 802.1x and a user with no realm will be authenticated in LDAP?

  I would suggest using email addresses for 802.1X authentication.
Inventing fake realms is a bad idea.

  Alan DeKok.



More information about the Freeradius-Users mailing list