Add Check Item in PEAP MSCHAP V2 authentication process
timbaledorion at hotmail.com
Wed Aug 31 20:13:02 CEST 2016
I finally succeed in doing what i wanted to do.
I had to implement to ldap instance one for the default server, other
one for the inner-tunnel server.
For the default server, i had to filter on NET-NodeID (filter in user
section in ldap module configuration) and to reject authentication if
nothing is found (add notfound=reject in call of ldap module in
authorize section of default server configuration file)
For the inner-tunnel server i keep the ldap module configuration and the
inner tunnel unchanged.
Thanks for your support.
Le 29/08/2016 à 19:44, Tim Baledorion a écrit :
> Le 29/08/2016 à 17:49, Alan DeKok a écrit :
>> On Aug 29, 2016, at 9:21 AM, Tim Baledorion
>> <timbaledorion at hotmail.com> wrote:
>>>> What is a "node identifier" ?
> A node Identifier is a Item that identified the Node in my design it
> is Net-NodeID.
>> If you don't care enough to properly describe the issue, why
>> should I care enough to help you?
>>> In the inner-tunnel the authentication is done against LDAP database
>>> through radius ldap module. I wanted to check the NET-NodeID during
>>> the TLS phase that's why i was thinking it has to be there.
>> Read the debug log. It shows you where the attribute is located.
>>>> A proxy *cannot* modify the data inside of a TLS tunnel. TLS is
>>>> designed to prevent this...
>>> I understand that quite well. That's why i was asking if the i had
>>> to change something in the supplicant to allow the behaviour i was
>> You can't change the supplicant.
>>> Maybe i should modify the ldap module parameters to look through the
>>> LDAP database in the authorize section with a match for Net-NodeID
>>> first, and then authenticate as it is requested in PEAP-MSCHAPv2?
>>> If you think this id is the right one i would have probably to setup
>>> 2 ldap instance one for the inner-tunnel the other for the authorize
>> The files raddb/sites-available/default and
>> raddb/sites-available/inner-tunnel contain a lot of documentation and
>> suggestions. Read them.
> I read theim again and find nothing about that except something
> related to operator-name that looks the same to what i would like to
> do....but i don't know if operator-name item can be a check item?
> Thank you for your interest anyway.
>> Alan DeKok.
>> List info/subscribe/unsubscribe? See
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users