On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote: > > Apparently not; you can apparently run EAP-TLS inside PEAP, > > which is a new one on me.
Has been running fine here for months. Only real benefit - SoH with EAP-TLS. > > For PEAP/MSCHAP, under 2.x the link someone posted to my > > horrible hack works. Or under 3.x, "eap { ok = return }" in > > the inner-tunnel also works. > > OK. Just wondering if you could really get it down to a single > lookup, IIRC you needed the 'known good' NT-Password data for a > couple of rounds of MSCHAPv2? Using PEAP/EAP-TLS, we put the LDAP lookup in the TLS virtual server, where we can lookup the certificate data in LDAP. It hits once, after the cert has verified, and allows other things to deny the auth. LDAP is in the example file. See the sites-available/check-eap-tls file in v3, and the mods-available/eap file, option "virtual_server" in the "tls" section. I backported the patch I wrote to do this to v2 (which is what we are running); I'm not sure if it made it into the released 2.x code (I doubt it). It's an easy patch it anyone wants to do it themselves. Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html