Combining EAP, MSCHAP and LDAP

David Hartburn D.J.Hartburn at
Mon Dec 9 09:45:57 CET 2013


Can anyone help advise if FreeRADIUS is suitable without any other 
changes to the existing infrastructure at my institution? If so, any 
advice on the best way to implement would be appreciated.

I am looking at options for replacing MS NPS with basically something 
better that works and is debuggable. FreeRadius looks the best option.

Our setup is a little complicated. Wireless users authenticate with EAP 
type PEAP, the inner authentication being done via MSCHAPv2. At the 
backend, we have a *nix based LDAP server with a particular attribute 
set for if a user is permitted to access the wireless network. Passwords 
are stored in an encrypted format. When a user binds, they can not see 
the resource attribute saying if they are permitted to use wireless. The 
LDAP information is pushed into active directory, where a wireless user 
group is created and populated by those who have the wireless flag set. 
Currently NPS authenticates against AD and checks this group.

My preference would be to leave any windows stuff out of the equation.

I followed a couple of online guides and have had FreeRadius 
successfully authenticate users against AD, however I then found 
something saying if I wanted to check groups I would have to use LDAP.

Following the information in the Dirk van der Walt book, it states that 
you can bind to LDAP as a user but are limited to PAP authentication or 
you can read the userPassword attribute which must be plain text if 
MSCHAP is needed. Neither sounds suitable for what I need.

Is it possible for FreeRadius to use EAP, MSCHAP, check a LDAP attribute 
and an encrypted password?

As the password is encrypted and of little use, our LDAP expert 
suggested that we bind using a system account to check the account 
exists and has rights for wireless (I have this bit working), then to 
authenticate a bind is made as the user. Does this sound reasonable?

Would binding to the AD server as an LDAP server offer any better avenue?

As this is currently a proof-of-concept lab exercise, we do not want to 
make any changes to our existing infrastructure if possible. If that is 
required, giving users permission to see their wireless attribute in 
LDAP seems like the least painful.

Sorry for the rambling posts, I'm in the newbie situation of being faced 
with many paths open to me, and not really knowing the best one to take.



More information about the Freeradius-Users mailing list