(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment
Virgil
virgil at webcentral.com.au
Tue Sep 27 21:41:54 CDT 2005
On 14/9/05 9:37 PM, "Mike McCauley" <mikem at open.com.au> wrote:
Mike, and others,
>> Will AuthBy LSA work with userPrincipcalName ?
>
> AuthBy LSA uses the Windows LogonUserNetworkMSCHAP function, which will
> authenticate the user in the same way as a standard Windows user logon. You
> may need to rewrite the user name into DOMAIN\user format?
My problem is that the "user" part of "DOMAIN\user" has no correlation to
the "user" part of "user at domain.name", except in the LDAP tree. The current
plan is to use a PreAuthHook to convert a supplied user at domain.name
User-Name into a NT4/LSA username via an LDAP lookup.
Can anyone give me some help with the PreAuthHook code?
<AuthBy LDAP2>
Identifier LDAP-PEAP
EAPType PEAP
EAPAnonymous %0
...
ServerChecksPassword
UsernameAttr userPrincipalName
AuthAttrDef extensionAttribute13,Tunnel-Private-Group-ID,reply
...
</AuthBy>
<Handler TunnelledByPEAP=1>
# PEAP inner request
<AuthBy LSA>
EAPType MSCHAP-V2
Domain DOMAINNAME # "NT4" domain name for AD
#LDAP lookup to select sAMAccountName
#that matches userPrincipalName for supplied "User-Name"
PreAuthHook %D/upn2sam.pl
#LDAP lookup to select extensionAttribute13
#that matches userPrincipalName for supplied "User-Name"
PostAuthHook %D/ldapvlan.pl
</AuthBy>
</Handler>
<Handler NAS-Port-Type=Ethernet, Service-Type=Framed-User>
#dot1x auth on switches
AuthBy LDAP-PEAP
AddToReplyIfNotExist Tunnel-Type = VLAN,\
Tunnel-Medium-Type = Ether_802
RejectHasReason
AcctLogFileName %L/detail
</Handler>
Regards
Virgil
--
virgil at webcentral.com.au
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list