Thoughts on a FreeRadius setup with OpenLDAP and Kerberos serving Windows and Ubuntu Clients

Nicola Volpini Nicola.Volpini at
Thu Jan 24 15:26:11 CET 2013

Hi everyone,

I've been assigned the exciting task to setup a wired 802.1x environment to manage the access to our office infrastructure.
I'm currently gathering all the possible informations to plan and deploy the solution since it's the first time I approach 802.1x and FreeRadius.
I'm reading Freeradius beginner's guide by Dirk Van Der Walt and experimenting a bit with a freshly installed Ubuntu 12.04 freeradius server.

Since I'm still in the planning phase I'd like to correctly understand which possibilities I have to deploy this of setup according to the needs of my company.
This would be the list of requirements, my thoughts will follow:

1. user authentication and authorisation against our OpenLDAP directory, which is currently setup to store passwords with a SASL mechanism (the pass is hashed, and Apache Directory Studio shows the value of the UserPassword attribute of each user as "SASL hashed password". This note is important, see further on)
2. Switchport dynamic VLAN assignment on the Cisco Catalyst switches depending on the gidNumber of the user
3. Multiplatform support (Windows 7, Ubuntu 10.04, Ubuntu 12.04)
4. FreeRadius server certificate validation (no client certificates used) and 802.1x authentication by providing user/pass

My concerns and thoughts, point by point:

1. From what I had the opportunity to read in the FreeRadius configuration files, using LDAP as a password store is not possible when having hashed passwords. Yet, when I test the password validation via radtest the software succeeds and gives me an accept-accept. Intentionally mistyping the pass gives a reject. What am I doing wrong? Is the radtest tool using some other mechanism then MSCHAPv2?
2. this appears to be fairly easy to achieve by configuring the users file with one line per LDAP group like  "DEFAULT LdapGroup == xxx"  to return the "Tunnel-private-group-ID [81]" VDA depending on the match... or maybe in some other place of the config via ulang? I still need to understand how it works
3. and 4. Both of these points, together with our infrastructure not being ready yet for client certificates validation, led me to the conclusion that PEAPv0/EAP-MSCHAPv2 could be the way to go... but point 1 would invalidate this assumption.

Is my reasoning correct? I'm still at a very early stage of the planning and a bit confused.

Thanks for your help!


Nicola Volpini
The information in this email is confidential and may be legally privileged.
If you are not the intended recipient, you must not read, use or disseminate that information
and upon reception, permanently delete the original and destroy any copies.
Although this email and any attachments are believed to be free of any virus
or any other defect which might affect any computer or IT system into which
they are received and opened, it is the responsibility of the recipient to
ensure that they are virus free and no responsibility is accepted by Kambi
for any loss or damage arising in any way from receipt or use thereof.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list