On 01/30/2013 05:54 PM, Nicola Volpini wrote: > Our Idea is to use either PEAP/MSCHAPv2 for ease of deployment or > EAP-TLS, both providing the cross platform compatibility we aim for. > After the authentication the user would be mapped to the right vlan by > the switch depending on her/his "gid" value obtained via an LDAP query
This is possible. The exact method depends on the organisation, some have groups which have VLAN ids as part of group names, some use a hardwired group membership -> VLAN mapping and others may specify VLAN directly for the user object. >>From what I understood the choice between PEAP and EAP-TLS is mainly > dependent on the compatibility with our current user/password store. If > I got it correctly, it's mandatory to have passwords stored in cleartext > to allow PEAP/MSCHAPv2 to work, which is not our case since we hash the > passwords. NT Hash would work too. See goodies/nthash.pl for the expected format. > Even if this setup worked I assume we would still need the user to > reconfigure the supplicant every 90 days (we enforce a password change) > which is kinda annoying for them. Alan suggested using PEAP for password change. That would require MSCHAP-V2 password change support which is not, at least currently, supported. Or was it something else? > At this point EAP-TLS would be the way to go! A question arises tough: > are the EAP-TLS certs generated specifically for the user or for the > machine? As you mentioned, this is not a Radiator issue because it does not care if the certificate is for a human or a machine. The minimum Radiator requires is matching CA certificate. The certificate management is the hard part with EAP TLS. If you take a look at goodies/eap_tls.cfg and change AuthBy FILE to AuthBy LDAP2, you can use this to do LDAP based checks for certificate validity. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
