REMY Lionel <[EMAIL PROTECTED]> wrote: > I use freeradius 1.0.1 to authenticate wireless users with EAP-TTLS or > PEAP against an LDAP backend.
No. LDAP is a database, not an authentication server. LDAP supplies a clear-text password, and FreeRADIUS does EAP authentication. > It works... but with some conditions. The NAS put the user in the good > vlan if the vlan reply items are _outside_ the TLS tunnel. Yes... the NAS can't see inside the TLS tunnel. > So I have to put the same User-Name in the request inside _and_ outside > the tunnel to take effect because the option "use_tunneled_reply" in > eap.conf doesn't work with PEAP. Hmm... that may be a bug. > And it is a security problem : If I know a valid User-Name authorized to > acces another vlan, I can authenticate with my credentials but puting > that valid User-Name outside the tunnel permits me to access the vlan > attached to this User-Name. Sounds like a problem. > My question is : How can I solve this problem ? Fix the PEAP module so "use_tunneled_reply" works. When the code was written, it was tested & verified to work. It *doesn't* work when the tunneled session is proxied to another server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
