more EAP/TTLS trouble

[Steve Hopps]

The reasons you stated are why I think this is near impossible. Our
passwords are stored with md5... I'm not fond of the idea that in
order to get this to work, we have to compromise our security policy.

As for the Windows salesman, leaving out features from one OS to sell
a newer OS is one of the reasons I cannot stand your company. That
said, Windows 7 is great in my opinion, like Windows XP. If you really
care, put pressure on your higher ups to extend the functionality to
support things like EAP/TTLS and PAP. I'm sure there's other
deficiencies.. How is it right to sell "ultimate" versions of an OS
for $150-200 when they dont even support as many features as a free,
open source system?

I just got into work, so I'll be looking over the suggestions and
making more attempts at this. Thanks again for all the help!


On Wed, May 30, 2012 at 8:15 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 30/05/12 13:44, Steve Hopps wrote:
>
>> IPhones work with a custom config profile that's easily installed.
>> However, our most significant hurdle is windows machines. Who would have
>> guessed??? For some stupid reason Microsoft doesn't care about
>> supporting all modern encryption standards. Making our staff pay for
>> SecureW2 isn't an option and XSupplicant doesn't work reliably yet in
>> 64bit Win7. So I'm back to trying to get mschapv2 working with peap.
>> This seems impossible.
>
>
> It's certainly a shame that Windows 7 doesn't support TTLS/PAP.
>
> PEAP/MSCHAP requires you have the plaintext password or NT hash, or access
> to an mschap "oracle" like ntlm_auth running on Samba as a member of the
> domain.
>
> If you don't have those, you can't do PEAP/MSCHAP, and your options are very
> limited.
>
> EAP-TLS, perhaps?
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html