Just an alternative of installing Samba, kerberos .... https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
Fabrice Le Vendredi 28 Novembre 2014 10:08 EST, Louis Munro <[email protected]> a écrit: > > > On 2014-11-28, at 9:55 , "Gair, Jon" <[email protected]> wrote: > > > I am trying to determine the best way of authenticating users for a secure > > SSID against an Active Directory source. My AD source is working fine for > > a captive portal to sponsor and approve roles for MAC based authentication > > but wondering if any of this config can relate to EAP authentication. > > > > From reviewing the forums and manuals there does not appear to be a clear > > way forward on this. Is the best way to follow page 28 of the admin manual > > that describes installing samba, joining the server to the domain and > > editing various files in the RADIUS and Kerberos directories. Would > > setting this up as an LDAP source rather than AD local source make the > > process any easier ? Do the roles I have configured via the GUI for the > > portal get used by RADIUS for role/VLAN assignment for EAP ? > > Hi John, > > If what you want is to authenticate your users with PEAP using 802.1x, LDAP > will not work. > Protocol limitations inherent to PEAP mean that no LDAP query of any kind can > get this to work with an Active Directory because you cannot get the NT > hashed passwords out of it using LDAP. > See here for a protocol compatibility matrix: > http://deployingradius.com/documents/protocols/compatibility.html > > So pretty much your only way forward is to use winbind and join the machine > to the domain. > The current PacketFence version comes preconfigured for NTLM authentication > but you will still have to edit /etc/krb5.conf and /etc/samba/smb.conf to > match your local configuration. > > Think of it this way: in an 802.1x setup with AD FreeRADIUS is used for > authentication (checking passwords) and the rules you configure in > PacketFence are used for authorization (setting which role/VLAN is returned). > The two complement each other. > > Hopefully that makes sense and gets you a bit further along. > > Regards, > -- > Louis Munro > [email protected] :: www.inverse.ca > +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
