FR2.1.3+LDAP+802.1x+PEAP
Alan DeKok
aland at deployingradius.com
Wed Nov 11 10:32:43 CET 2009
Caius wrote:
> regarding your tips:
> a) i dont wanna do, maybe if i have no other choice, ill have 2 password attributes SSHA+NTLM, but its a clear no to clear-text, and a maybe to NT hash
NTLM is largely a version of MSCHAP for Active Directory.
If you want to do PEAP authentication, you need clear-text passwords,
or NT hashes.
> b) need it, so not gonna happen
>
> so, as i need to proceed further with my investigation, what are my options really? :D
>
> i was thinking at the following:
> to do the normal user authentication in LDAP, based on the provided realm, and if no realm present authenticate the users in users file.
> Users which use 802.1x will be saved in clear-text in users file
> and users used for authentication for other stuff, will be checked in LDAP (@mydomain.com)
>
>
> or can i switch this around? a user: myuser at dot1x.com will be based on the real authenticated in users file for 802.1x and a user with no realm will be authenticated in LDAP?
I would suggest using email addresses for 802.1X authentication.
Inventing fake realms is a bad idea.
Alan DeKok.
More information about the Freeradius-Users
mailing list