On 2014-11-28, at 9:55 , "Gair, Jon" <[email protected]> wrote:
> I am trying to determine the best way of authenticating users for a secure
> SSID against an Active Directory source. My AD source is working fine for a
> captive portal to sponsor and approve roles for MAC based authentication but
> wondering if any of this config can relate to EAP authentication.
>
> From reviewing the forums and manuals there does not appear to be a clear way
> forward on this. Is the best way to follow page 28 of the admin manual that
> describes installing samba, joining the server to the domain and editing
> various files in the RADIUS and Kerberos directories. Would setting this up
> as an LDAP source rather than AD local source make the process any easier ?
> Do the roles I have configured via the GUI for the portal get used by RADIUS
> for role/VLAN assignment for EAP ?
Hi John,
If what you want is to authenticate your users with PEAP using 802.1x, LDAP
will not work.
Protocol limitations inherent to PEAP mean that no LDAP query of any kind can
get this to work with an Active Directory because you cannot get the NT hashed
passwords out of it using LDAP.
See here for a protocol compatibility matrix:
http://deployingradius.com/documents/protocols/compatibility.html
So pretty much your only way forward is to use winbind and join the machine to
the domain.
The current PacketFence version comes preconfigured for NTLM authentication but
you will still have to edit /etc/krb5.conf and /etc/samba/smb.conf to match
your local configuration.
Think of it this way: in an 802.1x setup with AD FreeRADIUS is used for
authentication (checking passwords) and the rules you configure in PacketFence
are used for authorization (setting which role/VLAN is returned).
The two complement each other.
Hopefully that makes sense and gets you a bit further along.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
