Re: FreeRADIUS with PEAP(MSCHAPv2), MySQL and LDAP?

Tue, 17 Jan 2006 13:19:11 -0800 

Palmer J.D.F. wrote:

Hi,
I am currently trying to create a new auth system for our WPA 802.1x WiFi network.
Thus far I have the server authenticating using PEAP(MSCHAPv2) against a users file containing a simple test user/pass pair.
What I would now like to do is use MySQL to contain user data such as the VLAN to be assigned to that user and which LDAP server their account
Assuming you know how to make the VLAN assignment work at all, then this is trivial. 

Assigning a completely dynamic LDAP server might be a little more tricky.
If you know what set of LDAP server(s) you want to use in advance, then you could do this: 

modules {
  ldap ldap1 {
    # config here
  }
  ldap ldap2 {
    # config here
  }
}

authorize {
  preprocess
  mysql
  mschap
  eap

  Autz-Type Ldap1 {
    ldap1
  }
  Autz-Type Ldap2 {
    ldap2
  }
}
The "mysql" module/tables will need to set Autz-Type on the requests, at which point the authorize stanza will be run *again* executing the conditional sections.
...however making this work correctly in the presence of eap/ms-chapv2 will not be straightforward, and in any event you have the other issue... 


exists on, then use LDAP to verify the credentials.
The only "verification" LDAP can do of credentials is to proxy PAP requests to LDAP simple binds. You cannot check MS-CHAP "against" an LDAP server.
However using LDAP as a database, as it was intendended, then *if* the LDAP server contains either plaintext password or the NT/LM hashes, the radius server can read them, and the ldap module is configured to get them from LDAP, then FreeRadius can perform the MS-CHAP inside itself.
The idea being that a PEAP request comes in, tunnel gets built etc, the user gets looked up in the MySQL database, the credentials are then authenticated against the correct LDAP (or RADIUS) server, then on success an access-accept along with the user's VLAN is passed back to the NAS. 

This seems extremely hard work. Why would you use both MySQL and LDAP?
The question is, is it possible for PEAP(MSCHAPv2) and LDAP with MySQL to interact in this way? 

Your question is not precise enough for me to be sure exactly what you want.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to