moving from WPA2 to WPA2 Enterprise
Ben Humpert
ben at an3k.de
Thu Jun 25 14:18:44 CEST 2015
2015-06-25 13:31 GMT+02:00 Jochen Demmer <jochen.demmer at peakwork.com>:
> Does someone maybe have a good howto for my scenario? Freeradius 3 +
> OpenLDAP with MSCHAPv2 and NTLM based passwords, which are by the way stored
> in an attibute called sambaNTPassword.
I had such a setup before but moved to EAP-TLS and completely dropped
LDAP. In fact it is not that difiicult to get it working. You just
need to configure the ldap moduel correctly enable LDAP in
sites-enabled/ and that's it.
> I keep trying to setup Radius 3 but it keeps saying:
>
> Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): 0 of 8 connections in use.
> Need more spares
> Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): Opening additional
> connection (8)
That's fine. FR closes unused connections after a specified amount of
time. If it then needs a connection but has none open already it
prints out that message and reopens connections.
> I've just configured the ldap module and also activated it. Also I have
> added a client so far.
A client or a user? A client is a NAS that requires a user to
authenticate and forwards user access requests to the RADIUS. And a
user is a user, obviously :)
> Do I have to install this radius schema into my LDAP backend if I'm going
> with the LDAP connection?
If you just want to read username & password out of LDAP you don't
need it. If you additionally want to manage clients and other stuff
like RADIUS Attributes (eg. Calling-Station-Id or
Tunnel-Private-Group-Id) then you have to install it. There are two
schema files. One for radius itself and all attributes and one for
radius clients.
> I thought ideally the user is checked and additionally if he belongs to some
> group to have access control.
>
RADIUS does only authentication of users. If you want to apply more
attributes, eg. VLAN you have to tell RADIUS to additionally read
these attributes stored in LDAP. If these are present for a user/group
it applies them. If not it doesn't. If you want more you have to
script unlang.
More information about the Freeradius-Users
mailing list