Combining EAP, MSCHAP and LDAP
D.J.Hartburn at kent.ac.uk
Mon Dec 9 09:45:57 CET 2013
Can anyone help advise if FreeRADIUS is suitable without any other
changes to the existing infrastructure at my institution? If so, any
advice on the best way to implement would be appreciated.
I am looking at options for replacing MS NPS with basically something
better that works and is debuggable. FreeRadius looks the best option.
Our setup is a little complicated. Wireless users authenticate with EAP
type PEAP, the inner authentication being done via MSCHAPv2. At the
backend, we have a *nix based LDAP server with a particular attribute
set for if a user is permitted to access the wireless network. Passwords
are stored in an encrypted format. When a user binds, they can not see
the resource attribute saying if they are permitted to use wireless. The
LDAP information is pushed into active directory, where a wireless user
group is created and populated by those who have the wireless flag set.
Currently NPS authenticates against AD and checks this group.
My preference would be to leave any windows stuff out of the equation.
I followed a couple of online guides and have had FreeRadius
successfully authenticate users against AD, however I then found
something saying if I wanted to check groups I would have to use LDAP.
Following the information in the Dirk van der Walt book, it states that
you can bind to LDAP as a user but are limited to PAP authentication or
you can read the userPassword attribute which must be plain text if
MSCHAP is needed. Neither sounds suitable for what I need.
Is it possible for FreeRadius to use EAP, MSCHAP, check a LDAP attribute
and an encrypted password?
As the password is encrypted and of little use, our LDAP expert
suggested that we bind using a system account to check the account
exists and has rights for wireless (I have this bit working), then to
authenticate a bind is made as the user. Does this sound reasonable?
Would binding to the AD server as an LDAP server offer any better avenue?
As this is currently a proof-of-concept lab exercise, we do not want to
make any changes to our existing infrastructure if possible. If that is
required, giving users permission to see their wireless attribute in
LDAP seems like the least painful.
Sorry for the rambling posts, I'm in the newbie situation of being faced
with many paths open to me, and not really knowing the best one to take.
More information about the Freeradius-Users