CiscoAP->Freeradius->AD->ISA(ntlm authentication)

Konne bridge_stone at gmx.net
Wed Jan 4 12:13:43 CET 2006 

hi

yes i know they have to authenticate two times. but in my case its not 
so easy. we have more than 400 pc connected to the domain (wired), so 
they will be authenticated transparently through the ISA. then a lot 
they arent in the domain (also wired). they are only authenticating 
against the ISA because they need only to surf the internet.
now we need accesspoints. what would be the best way. we need also some 
filtering service (websense) which is installed on the ISA. so the new 
clients (wireless) have to surf through the ISA. so it isnt possible to 
omit the ISA authentication. i would omit the chilli authentication.

whats the best and secure way to authenticate my wirelessclients. they 
will be MacOS, *nix, Windows2000/XP
EAP-TTLS/mschapv2 ???

if its too difficult i would leave out the ISA, so the would 
authenticate only against the AD.

thx



Alan DeKok schrieb:

>Konne <bridge_stone at gmx.net> wrote:
>  
>
>>Freeradius looks in the ActiveDirectory if the 
>>user exists and has the rights to connect to the internet. if the 
>>authentication is ok,  the user must surf over a ISA because there is 
>>installed websense.
>>    
>>
>
>  That's not helpful.  You're saying that even though you know only
>authenticated users access your net, you still make them authenticate
>again?
>
>  
>
>> is it possible to have a transparent authentication 
>>through the isa-server. i mean if the client is in the condition that he 
>>can send the ntlm authentication, that he doestn't have to authenticate 
>>twice times. one time on the chillispot and the second on the isa 
>>server. is there any possibilty?
>>    
>>
>
>  The only way to do that is if the RADIUS server can tell the isa
>that the user is OK, and they don't have to be authenticated.  See the
>isa docs for if this is possible, and if possible, how.  Then write a
>script on FreeRADIUS to send the information isa needs.
>
>  In general, what you want to do is difficult, because most people
>don't do it.  And most people don't do it because authenticating
>people twice is pointless/
>
>  Alan DeKok.
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060104/6840be37/attachment.html>

More information about the Freeradius-Users mailing list