Hello freeradius-users, I search a way to ignore phase1 identity and avoid ldap access during phase1 for EAP-PEAP/mschapv2
I try to migrate a freeradius V1 eap + ldap instance to freeradius V2.1.8. (+1200 NAS, many kind of AP mostly Cisco, all sort of supplicants on XPSP2/SP3, MacOSX, unknown cash registers and so on all around the world ...) As I understand starting from V1 configs is always a BAD idea, I started from a default 2.1.8, with sites-enables as default and inner-tunnel, with ldap. authorize must check user has some radiusgroup-name attribute in ldap authenticate user in ldap. According to customer : For phase 1 (outter) : * no check has to be done on phase 1 (ignore outer identity, etc ...) * a huntgroup hotspot is assigned during outer preprocess For phase 2 (inner) : use inner identity to check if user has correct radiusgroup-name attribute use inner identity to validate user/password, mostly using eap-peap with mschapv2 without ntlm_auth from samba installed. I have a basic setup which seems to work (eapol-test compiled from hostapd sources), but generate a lot of logs and ldap access during phase1. It also fails if outter identity is unknown in ldap (anonymous or other fancy id encoutered in customer's freeradius v1 production auth_logs ...) I have eapol_test log and freeradius -X available. Would you have some guideline to achieve this ? Best regards Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html