Add Check Item in PEAP MSCHAP V2 authentication process

Alan DeKok aland at
Mon Aug 29 17:49:34 CEST 2016

On Aug 29, 2016, at 9:21 AM, Tim Baledorion <timbaledorion at> wrote:
>>   What is a "node identifier" ?
> A node Identifier is

  If you don't care enough to properly describe the issue, why should I care enough to help you?

> In the inner-tunnel the authentication is done against LDAP database through radius ldap module. I wanted to check the NET-NodeID during the TLS phase that's why i was thinking it has to be there.

  Read the debug log.  It shows you where the attribute is located.

>>  A proxy *cannot* modify the data inside of a TLS tunnel.  TLS is designed to prevent this...
> I understand that quite well. That's why i was asking if the i had to change something in the supplicant to allow the behaviour i was requesting.

  You can't change the supplicant.

> Maybe i should modify the ldap module parameters to look through the LDAP database in the authorize section with a match for Net-NodeID first, and then authenticate as it is requested in PEAP-MSCHAPv2?
> If you think this id is the right one i would have probably to setup 2 ldap instance one for the inner-tunnel the other for the authorize section.

  The files raddb/sites-available/default and raddb/sites-available/inner-tunnel contain a lot of documentation and suggestions.  Read them.

  Alan DeKok.

More information about the Freeradius-Users mailing list