Recommendation

[Paul Dugas]

On Tue, Aug 17, 2010 at 2:44 AM, Alan DeKok <aland at deployingradius.com> wrote:
>
> Paul Dugas wrote:
> > On Mon, Aug 16, 2010 at 5:02 PM, Alan DeKok <aland at deployingradius.com> wrote:
> >>  Use PEAP.  Ensure passwords are in a form compatible with PEAP:
> >
> > My LDAP directory contains NT, LM, and SSHA passwords but not
> > clear-text so, if I'm following correctly, I need to look into using
> > ntlm_auth.
>
>  No.  I have no idea why you concluded that.
>
>  FreeRADIUS needs a password for authentication.  That's it.

The settings in NetworkManager on my Fedora Linux laptop, when I
choose WPA&WPA2-Enterprise and PEAP, allow MSCHAPv2 (default), MD5,
and GTC for the inner authentication.  I see on the protocol
compatibility table you referenced that only clear-text and ntlm_auth
are available under PEAP and EAP-MSCHAPv2.  I do not have clear-text
passwords in my LDAP directory so I concluded I needed to look into
ntlm_auth.

Where did I go wrong?

>  If you have the LDAP module listed in the "inner-tunnel", then you're
> well on your way to getting it all to work.

I found a posting that pointed me toward sites-available/default to
enable ldap under authorize and the Auth-Type LDAP block under
authenticate.  Found another that suggested the same in
sites-enabled/inner-tunnel.  I've adjusted modules/ldap to connect
with the correct privileges; I've not adjust ldap.attrmap.  It didn't
work after that though I'm not at the site today to get detailed logs
to post.  I will be tomorrow though.

Paul

--
Paul Dugas • Dugas Enterprises, LLC • Computer Engineer
522 Black Canyon Park, Canton GA 30114 USA • Paul at DugasEnterprises.com
• +1.404.932.1355