Add Check Item in PEAP MSCHAP V2 authentication process

Tim Baledorion timbaledorion at
Mon Aug 29 19:44:47 CEST 2016

Le 29/08/2016 à 17:49, Alan DeKok a écrit :
> On Aug 29, 2016, at 9:21 AM, Tim Baledorion <timbaledorion at> wrote:
>>>    What is a "node identifier" ?

A node Identifier is a Item that identified the Node in my design it is Net-NodeID.

>    If you don't care enough to properly describe the issue, why should I care enough to help you?
>> In the inner-tunnel the authentication is done against LDAP database through radius ldap module. I wanted to check the NET-NodeID during the TLS phase that's why i was thinking it has to be there.
>    Read the debug log.  It shows you where the attribute is located.
>>>   A proxy *cannot* modify the data inside of a TLS tunnel.  TLS is designed to prevent this...
>> I understand that quite well. That's why i was asking if the i had to change something in the supplicant to allow the behaviour i was requesting.
>    You can't change the supplicant.
>> Maybe i should modify the ldap module parameters to look through the LDAP database in the authorize section with a match for Net-NodeID first, and then authenticate as it is requested in PEAP-MSCHAPv2?
>> If you think this id is the right one i would have probably to setup 2 ldap instance one for the inner-tunnel the other for the authorize section.
>    The files raddb/sites-available/default and raddb/sites-available/inner-tunnel contain a lot of documentation and suggestions.  Read them.
  I read theim again and find nothing about that except something 
related to operator-name that looks the same to what i would like to 
do....but i don't know if operator-name item can be a check item?

Thank you for your interest anyway.


>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list