more EAP/TTLS trouble

Stefan Winter stefan.winter at restena.lu
Wed May 30 15:52:55 CEST 2012


Hi,

> The reasons you stated are why I think this is near impossible. Our
> passwords are stored with md5... I'm not fond of the idea that in
> order to get this to work, we have to compromise our security policy.
> 
> As for the Windows salesman, leaving out features from one OS to sell
> a newer OS is one of the reasons I cannot stand your company. That
> said, Windows 7 is great in my opinion, like Windows XP. If you really
> care, put pressure on your higher ups to extend the functionality to
> support things like EAP/TTLS and PAP. I'm sure there's other
> deficiencies.. How is it right to sell "ultimate" versions of an OS
> for $150-200 when they dont even support as many features as a free,
> open source system?
> 
> I just got into work, so I'll be looking over the suggestions and
> making more attempts at this. Thanks again for all the help!

Here's one more: many folks in eduroam have gone through the exact same
considerations, and some indeed need TTLS-PAP. If it is unavoidable,
there is a GPLed version of SecureW2 which can deliver TTLS-PAP to older
versions of Windows. I'm sure you can find it on the internet somewhere.

Stefan

> 
> 
> On Wed, May 30, 2012 at 8:15 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>> On 30/05/12 13:44, Steve Hopps wrote:
>>
>>> IPhones work with a custom config profile that's easily installed.
>>> However, our most significant hurdle is windows machines. Who would have
>>> guessed??? For some stupid reason Microsoft doesn't care about
>>> supporting all modern encryption standards. Making our staff pay for
>>> SecureW2 isn't an option and XSupplicant doesn't work reliably yet in
>>> 64bit Win7. So I'm back to trying to get mschapv2 working with peap.
>>> This seems impossible.
>>
>>
>> It's certainly a shame that Windows 7 doesn't support TTLS/PAP.
>>
>> PEAP/MSCHAP requires you have the plaintext password or NT hash, or access
>> to an mschap "oracle" like ntlm_auth running on Samba as a member of the
>> domain.
>>
>> If you don't have those, you can't do PEAP/MSCHAP, and your options are very
>> limited.
>>
>> EAP-TLS, perhaps?
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120530/d7c35e34/attachment.pgp>


More information about the Freeradius-Users mailing list