Add Check Item in PEAP MSCHAP V2 authentication process

Tim Baledorion timbaledorion at
Wed Aug 31 20:13:02 CEST 2016

I finally succeed in doing what i wanted to do.

I had to implement to ldap instance one for the default server, other 
one for the inner-tunnel server.

For the default server, i had to filter on NET-NodeID (filter in user 
section in ldap module configuration) and to reject authentication if 
nothing is found (add notfound=reject in call of ldap module in 
authorize section of default server configuration file)

For the inner-tunnel server i keep the ldap module configuration and the 
inner tunnel unchanged.

Thanks for your support.


Le 29/08/2016 à 19:44, Tim Baledorion a écrit :
> Le 29/08/2016 à 17:49, Alan DeKok a écrit :
>> On Aug 29, 2016, at 9:21 AM, Tim Baledorion 
>> <timbaledorion at> wrote:
>>>>    What is a "node identifier" ?
> A node Identifier is a Item that identified the Node in my design it 
> is Net-NodeID.
>>    If you don't care enough to properly describe the issue, why 
>> should I care enough to help you?
>>> In the inner-tunnel the authentication is done against LDAP database 
>>> through radius ldap module. I wanted to check the NET-NodeID during 
>>> the TLS phase that's why i was thinking it has to be there.
>>    Read the debug log.  It shows you where the attribute is located.
>>>>   A proxy *cannot* modify the data inside of a TLS tunnel.  TLS is 
>>>> designed to prevent this...
>>> I understand that quite well. That's why i was asking if the i had 
>>> to change something in the supplicant to allow the behaviour i was 
>>> requesting.
>>    You can't change the supplicant.
>>> Maybe i should modify the ldap module parameters to look through the 
>>> LDAP database in the authorize section with a match for Net-NodeID 
>>> first, and then authenticate as it is requested in PEAP-MSCHAPv2?
>>> If you think this id is the right one i would have probably to setup 
>>> 2 ldap instance one for the inner-tunnel the other for the authorize 
>>> section.
>>    The files raddb/sites-available/default and 
>> raddb/sites-available/inner-tunnel contain a lot of documentation and 
>> suggestions.  Read them.
>  I read theim again and find nothing about that except something 
> related to operator-name that looks the same to what i would like to 
> do....but i don't know if operator-name item can be a check item?
> Thank you for your interest anyway.
> Tim
>>    Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See 
> -
> List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list