Help for configuration 3.0.11
Alan DeKok
aland at deployingradius.com
Wed Sep 28 20:28:17 CEST 2016
On Sep 28, 2016, at 1:21 PM, Philipp Trenz <mail at philipptrenz.de> wrote:
> I'm trying to configure v3.0.11 and have some problems to understand how freeradius requests the configuration.
>
> The plan is to process requests via PEAP/MS-CHAPv2 to check MD4-Hashes against NT-Password-Attribute at a LDAP database.
1) configure theLDAP module
2) enable it in the raddb/mods-enabled/ directory
3) test PEAP
4) it will work.
> As I understand, PEAP gets processed within the outer default-virtual server and this passes the inner MS-CHAPv2 to inner-tunnel. Now I'm not shure if it has to be processed through the mschap-module or through ldap-module. If mschap-module where or when does freeradius get the NT-Password from LDAP? Does the mschap-module trigger the ldap-module?
The authentication data inside of the TLS tunnel gets passed to the inner-tunnel virtual server.
There, the LDAP module is queried for the known password.
Then, the MS-CHAP module uses the known password to authenticate the user.
> In details I want to upgrade a working 2.0.0 configuration to 3.0.11 (and then update to the upcoming 3.0.12 release). Another point I'm struggeling are the mappings of the LDAP attributes. I have the old ldap.attrmap, but don't know how to bring
> checkItem $GENERIC$ radiusCheckItem
> replyItem $GENERIC$ radiusReplyItem
> to the new configuration. changing the NT-Password is more simple ;)
See raddb/mods-available/ldap. Look for the "update" block in that file. This is documented.
Alan DeKok.
More information about the Freeradius-Users
mailing list