understanding

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Thu Mar 29 14:36:27 CEST 2012


Hi,

>    I have two questions for my understanding. I set up FreeRADIUS to
>    authenticate against our Active Directory. I read in the readme that this
>    couldn´t be done with the ldap module, so I did it with SAMBA. It works
>    fine for MSCHAPv2. But nowhere stands why it couldn’t be done with the
>    ldap module. Can anybody give a technical explanation? As I read the ldap
>    module can only work with cleartext passwords and eap is encrypted. But
>    why can’t it work with. A technical explanation would be nice.

it depends what you want to do with the AP and ldap - you can use it to check
groups membership etc.

>    As I wrote I setted FreeRADIUS up to work fine with the Active Directory.
>    I configured the eap.conf to work with PEAP and MSCHAPv2. When I
>    configured it in this way I don’t need certificates? The certificates
>    aren’t checked by the clients or server aren’t they? Do I need
>    certificates when I use PEAP with MSCHAPv2 or I am doing something wrong?

PEAP will show the client 2 certificates...the server certificate and the CA
of that certificate (and intermediates if there are any). a basic freeradius install
will have 2 snake-oil certs (local CA and server sined by that CA). it is
up to you to ensure that clients are configured to check/verify the certificates.

alan


More information about the Freeradius-Users mailing list