3.0.12 EAP-PEAP with OpenLDAP group membership and Packet-Src-IP-Address checking

Brian Candler b.candler at pobox.com
Thu Jan 12 09:39:09 CET 2017

On 11/01/2017 17:05, Staiger, Moritz (RRZE) wrote:
> we are running freeradius 3.0.12 which is authenticating against an openldap server with EAP PEAP MSCHAPv2
When you say "is authenticating against an openldap server", I wonder if 
you mean "is reading a cleartext password or NTLM password hash out of 
an openldap server"

When people say "authenticating against LDAP" they usually mean "using 
LDAP as a password oracle by doing an LDAP BIND with the user-supplied 
password". But if you are using MSCHAPv2 this is impossible, since you 
don't receive the cleartext password.

> In future we want to enable VLAN assignment via LDAP so we want to use LDAP group membership comparison and combine it with Packet-Src-IP-Address checking.
> Users from LDAP group „Admins“ should be assigned to VLAN 10 (management)
> Users from LDAP group „Operators“ should be assigned to VLAN 20 (operator)
> Users from other LDAP groups „Group-X“ should be assigned to userspecific VLAN which is represented in the LDAP attribute „radiusTunnelPrivateGroupId“.
This might help as a starting point.

More information about the Freeradius-Users mailing list