need help & advice getting started with freeradius

[Alexander Clouter]

tnt at kalik.net wrote:
>
>>In my scenario I would like to use PEAP if possible but not require the user
>>client to have a certificate, just the radius-server (which is why i believe
>>the TTLS solution will  be in-efficient here as i would have to deal with
>>handy out client certificates to hundreds of users). And to be asked thern
>>their username and password to authticate onto our wireless. Would combining
>>these two guides work to get these two intial sets up and running?
>>
>
TTLS is *not* an admin hassle, TLS is (client side certificates).  TTLS 
means you put a verifiable server certificate on the *server* end that 
the client can verify and know who it is talking to, then you can safely 
even send the password in plain text.
 
> PEAP will require passwords stored as clear text or nt hash. If your
> passwords are stored as something else they will have to be changed. 
>
...or...you use EAP-TTLS and get the client to send the passwords in 
plaintext and then do an LDAP bind() to check if the credentials are 
correct.

Once you are doing this you can one day get around to (if you want to) 
putting in plaintext passwords into your LDAP database that FreeRADIUS 
can use and abuse.

> As for combining freeradius and ldap prehaps you should read 
> freeradius documentation first (wiki or doc/rlm_ldap from the 
> download) and then see is there any need to bother wiyh third party 
> stuff.
>
Well PEAP without AD means you have to jump through a lot of hoops 
manually configuring each client by hand.  With something like SecureW2 
you include a 'seeding' file and it will do all the hard manual priming.

This is all overlooking that PEAP is horrible as if you want to play 
with OTP's or other fun custom things, good luck doing that with PEAP.

Cheers

-- 
Alexander Clouter
.sigmonster says: Marriage causes dating problems.