I never though about splitting the authentication and authorization between ntlm and ldap.
I don't see why that wouldn't work, but I really have no idea. But that would be pretty slick, coupled with some hacked wrt54g's to support the vlans.... a pretty cheap enterprise level solution! -- Chris Liles > -----Original Message----- > From: freeradius-users- > [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of > Neal S. Garber > Sent: Wednesday, June 28, 2006 4:44 PM > To: FreeRadius users mailing list > Subject: Re: PEAP MSCHAP2 Freeradius Active Directory > > > You will need to configure the LDAP module to fetch groups from ADs LDAP > > server. See copious documentation or posts to the list. Broadly, once > the > > LDAP module is setup correctly: > > > > DEFAULT NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Students" > > Tunnel-Medium-Type = IEEE-802, > > Tunnel-Private-Group-Id = 10, > > Tunnel-Type = VLAN > > > > DEFAULT NAS-Port-Type == "Wireless-802.11", Ldap-Group == "Staff" > > Tunnel-Medium-Type = IEEE-802, > > Tunnel-Private-Group-Id = 20, > > Tunnel-Type = VLAN > > The doc. states that LDAP only supports PAP. Is this a problem given he > said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it > doesn't have a clear text password? Or is the approach to use MSCHAPv2 > for > authentication and then LDAP for authorization?? > > Thanks for helping me better understand... > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
