Hey, Matt,This setup is actually almost identical to what we're doing here at UT Dallas.
As is commonly seen on the FreeRADIUS mailing lists, I think you may be confusing how to use PEAP with LDAP a little. In order to use PEAP with LDAP, you don't use LDAP "authentication" in FreeRADIUS. You have to store either a cleartext password or an NTLMv2 password hash in your LDAP directory for each of your users. Be sure if you do this to set appropriate ACLs on the attribute containing the password/hash so that only the RADIUS connect profile can get to that attribute. In any case, once you've done this, the LDAP module goes in your authorize section in FR so that it can pull the password or hash out and use it to perform the authentication itself using the mschap module.
Also, for PEAP, you only need a certificate for your RADIUS servers to authenticate the network to the users. Your users don't need personal certificates as they would using EAP-TLS. If you purchase a commercial certificate from one of the CAs included by default in your client OSes, then you don't have to install anything on the clients and just have to configure them for access.
These links might be useful for you: UTD's 802.1x setup instructions for Windows XP: http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.htmlI actually gave an Educause Live presentation on UTD's 802.1x deployment. Its archived here:
http://www.educause.edu/LIVE058 Hope that helps! --Mike On Jul 7, 2006, at 1:50 PM, Matt Ashfield wrote:
Hi AllI'm trying to configure 802.1x wireless authentication using credentialsstored in LDAP. I am running FreeRadius and SunOne ldap server. The Radius server iscorrectly doing authentication attempts to the LDAP server (I issue the"radtest" command with a username/passwd from LDAP and I get an authenticate-accept back).The next step is setting up an XP client to talk to an Access Point, which is configured to authenticate via the Raidus server, via LDAP. So far, in my minimal testing, I've seen the client try to connect using it's Windowscredentials rather than giving the user a chance to enter a username/password.I'm sure others out there are doing this. I'm just wondering what you're using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms straightfirst and go from there.From what I can tell PEAP will require my users to install a certificate.We'd much rather prefer them to have to enter their LDAP usernames and passwords. Any advice is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] **********Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
smime.p7s
Description: S/MIME cryptographic signature