Add Check Item in PEAP MSCHAP V2 authentication process
timbaledorion at hotmail.com
Mon Aug 29 19:44:47 CEST 2016
Le 29/08/2016 à 17:49, Alan DeKok a écrit :
> On Aug 29, 2016, at 9:21 AM, Tim Baledorion <timbaledorion at hotmail.com> wrote:
>>> What is a "node identifier" ?
A node Identifier is a Item that identified the Node in my design it is Net-NodeID.
> If you don't care enough to properly describe the issue, why should I care enough to help you?
>> In the inner-tunnel the authentication is done against LDAP database through radius ldap module. I wanted to check the NET-NodeID during the TLS phase that's why i was thinking it has to be there.
> Read the debug log. It shows you where the attribute is located.
>>> A proxy *cannot* modify the data inside of a TLS tunnel. TLS is designed to prevent this...
>> I understand that quite well. That's why i was asking if the i had to change something in the supplicant to allow the behaviour i was requesting.
> You can't change the supplicant.
>> Maybe i should modify the ldap module parameters to look through the LDAP database in the authorize section with a match for Net-NodeID first, and then authenticate as it is requested in PEAP-MSCHAPv2?
>> If you think this id is the right one i would have probably to setup 2 ldap instance one for the inner-tunnel the other for the authorize section.
> The files raddb/sites-available/default and raddb/sites-available/inner-tunnel contain a lot of documentation and suggestions. Read them.
I read theim again and find nothing about that except something
related to operator-name that looks the same to what i would like to
do....but i don't know if operator-name item can be a check item?
Thank you for your interest anyway.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users