Freeradius + EAP-TLS + LDAP

Phil Mayers p.mayers at imperial.ac.uk
Wed Apr 20 11:54:19 CEST 2011


On 04/20/2011 10:23 AM, Alexandros Gougousoudis wrote:

> 3.1. Certs on all Computer/Workstations and an entry in $RADDB/users of
> the Computername wirh Authentification-Type = EAP
> 3.2. Users in my LDAP with crypted Passwords (MD5/crypt) AND Passwords
> for Samba (NT-Passwords).

Ah, good. If you have NT-Password, PEAP/MS-CHAP should work.

> 3.3. All Computernames in my LDAP (because I run a Samba-NT4-Domain).
>
> 4. Question is:
>
> 4.1. Can I configure FR to lookup the Computername upon a request in the
> LDAP, and if it finds the entry to enter a EAP-TLS authentification, and
> if not to deny access?

Yes. There are lots of ways to do this, depending on what key you want 
to use for the lookup (machine account name, mac address, TLS cert subject)



> 4.2. To authenticate all users of a specific group which are in LDAP
> with their password which is stored crypted/hashed in LDAP using PEAP?

Yes. You will need to configure FreeRADIUS to bind to LDAP with an 
account that has permission to read the ntPassword attrbute, but if you 
do that, it should just work.



More information about the Freeradius-Users mailing list