3.0.12 EAP-PEAP with OpenLDAP group membership and Packet-Src-IP-Address checking
Brian Candler
b.candler at pobox.com
Thu Jan 12 09:39:09 CET 2017
On 11/01/2017 17:05, Staiger, Moritz (RRZE) wrote:
> we are running freeradius 3.0.12 which is authenticating against an openldap server with EAP PEAP MSCHAPv2
When you say "is authenticating against an openldap server", I wonder if
you mean "is reading a cleartext password or NTLM password hash out of
an openldap server"
When people say "authenticating against LDAP" they usually mean "using
LDAP as a password oracle by doing an LDAP BIND with the user-supplied
password". But if you are using MSCHAPv2 this is impossible, since you
don't receive the cleartext password.
> In future we want to enable VLAN assignment via LDAP so we want to use LDAP group membership comparison and combine it with Packet-Src-IP-Address checking.
>
> Users from LDAP group „Admins“ should be assigned to VLAN 10 (management)
> Users from LDAP group „Operators“ should be assigned to VLAN 20 (operator)
> Users from other LDAP groups „Group-X“ should be assigned to userspecific VLAN which is represented in the LDAP attribute „radiusTunnelPrivateGroupId“.
This might help as a starting point.
http://lists.freeradius.org/pipermail/freeradius-users/2016-December/085977.html
More information about the Freeradius-Users
mailing list