(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment

Mike McCauley mikem at open.com.au
Wed Sep 14 06:37:12 CDT 2005 

Hello Virgil,

On Wednesday 14 September 2005 10:26, Virgil wrote:
> On 9/9/05 9:13 AM, "Virgil" <virgil at webcentral.com.au> wrote:
>
> Hi all,
>
> Because I'm not getting anywhere quickly, I'm going back to basics.  Can I
> do what I want?
>
> > The goal is 802.1x for wireless and public wired ports using PEAP and
> > MSCHAPv2. Theoretically, this involves the least amount of configuration
> > on the clients, which are mainly Windows XP.
> >
> > Successful authentication will also provide a per-user (or Group) VLAN
> > assignment, with provision for guest vlan access for non 802.1x clients,
> > and failed authentication.
> >
> > Ideally, I'd like to use the userPrincipalName (UPN) authenticate against
> > Active Directory, with a specified attribute, "pager" in this case, for
> > the Tunnel-Private-Group-ID.
>
> Will AuthBy LSA work with userPrincipcalName ?

AuthBy LSA uses the Windows LogonUserNetworkMSCHAP function, which will 
authenticate the user in the same way as a standard Windows user logon. You 
may need to rewrite the user name into DOMAIN\user format?


>
> The userPrincipcalName in the production environment would be
> (virgil at webcentral.com.au), but this has no correlation to the
> sAMAccountName (ab123456cd).
>
>
> If AuthBy LSA does work with userPrincipcalName, how to get an LDAP value
> as a Reply Attribute for a successful Auth ?   Pseudo config below.

That looks OK, though I have not tried it myself.

>
>
> <Handler TunnelledByPEAP=1>
>     <AuthBy LSA>
>     Domain      DOMAINNAME # "NT4" domain as oppopsed
>                            # to "AD" @webcentral.com.au ???
>     EAPType     MSCHAP-V2
>     </AuthBy>
>     <AuthBy LDAP2>
>     ...
>     EAPType                 NoEAP
>     UsernameAttr            userPrincipalName
>     AuthAttrDef             pager,Tunnel-Private-Group-ID,reply
>     AddToReplyIfNotExist    Tunnel-Type = VLAN,\
>                             Tunnel-Medium-Type = Ether_802
>     ...
>     </AuthBy>
> </Handler>
>
>
> #802.1x for wired switches
> <Handler NAS-Port-Type=Ethernet>
>     <AuthBy LDAP2>
>     ...
>     EAPType         PEAP
>     UsernameAttr    userPrincipalName
>     ...
>     </AuthBy>
> </Handler>
>
>
>
> Regards
> Virgil

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list