> When I try to log into the WPA enterprise (802.1x) WLAN my freeradius is > having trouble to obtain the NT-Password. The hash resides in our LDAP, > but does PF take care of retrieving it, or do I need to configure the > connection from the freeradius to the LDAP myself?
To debug, killall radiusd; radiusd -X (with same arguments otherwise) If you are using a Samba server emulating a Windows domain controller, you can follow the standard directions for Windows and ntlm_auth. If you are intending to get hashes directly from LDAP, I have not done that, but it would be FreeRADIUS's job. (It's unclear: do you have an existing, working RADIUS server that you would like PF to use? Or are you customizing the FR server included in PF? I would recommend the latter.) > After logging into the WPA enterprise (802.1x) WLAN, is the person > supposed to able to log into the PF cative portal with the same eduroam > credentials as well, or does he need to have a second pair of > username/password for the PF login? You will need to add a subroutine to /usr/local/pf/(varies by version)/vlan/custom.pm, and then eduroam clients will bypass the captive portal. It is against Eduroam policy to ask for institutional credentials in web forms. http://www.eduroam.org/downloads/docs/advisory/eduroamOT-user-advisory-001.pdf (Inverse friends: this should get a mention in the "PacketFence and Eduroam" FAQ entry.) sub shouldAutoRegister { # #$mac is MAC address # #$switch_in_autoreg_mode is set to 1 if switch is in registration mode # #$violation_autoreg is set to 1 if called from a violation with autoreg action # #$isPhone is set to 1 if device is considered an IP Phone. # #$conn_type is set to the connnection type expressed as the constant in pf::config # #$user_name is set to the RADIUS User-Name attribute (802.1X Username or MAC address under MAC Authentication) # #$ssid is set to the wireless ssid (will be empty if radius and not wireless, undef if not radius) my ($this, $mac, $switch_in_autoreg_mode, $violation_autoreg, $isPhone, $conn_type, $user_name, $ssid) = @_; my $logger = Log::Log4perl->get_logger(); # # custom example: auto-register 802.1x users # # Since they already have validated credentials through EAP to do 802.1X if (defined($conn_type) and (($conn_type & $EAP) == $EAP)) { $logger->trace("returned yes because it's a 802.1X client that successfully authenticated already"); return 1; } # otherwise don't autoreg return 0; } ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
