Freeradius + Active Directory

Phil Mayers p.mayers at imperial.ac.uk
Thu Oct 21 17:16:49 CEST 2010


On 21/10/10 15:50, Rowley, Mathew wrote:
> Ah, that is true. I never though that deeply into it, and only did a POC.
> Is the downfall of doing things this way that passwords must be sent in
> the clear?

Not really. The User-Password radius field is "encrypted" with the 
shared secret, which is reasonable (though not excellent) security.

For wireless/wired 802.1x users, the issue is that the windows 
supplicant does not *support* EAP-TTLS/PAP. It only supports 
EAP-PEAP/MS-CHAP, so rlm_krb5 is no use in this (common) case.

As I say, if you're just checking PAP it may meet your needs.



More information about the Freeradius-Users mailing list