Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

Bertalan Voros bertalan.voros at gmail.com
Fri Jan 25 16:25:20 CET 2013 

Hi Alan,

Thanks for your insight, you are absolutely correct regarding the issues.
I will have to find a compromise that is acceptable by everyone.

>
> >    We maintain a central AD with all the user accounts in it but there
> are no
> >    machines associated with that AD.
>
> any reasons for proxying to the NPS rather than binding the FR system into
> the AD
> and authenticating locally?
>

Only that the FR site mentioned it to be complicated and we already have an
NPS that we are otherwise happy with.
Looks like this would be the best option.


>
> >    The self signed certificate works but people get prompted to accept
> it and
> >    we were asked if it was possible for that to not happen.
>
> some clients may prompt for the RADIUS or CA certificate anyway.
>
> >    The most likely users of this service would be the VIP types, it is
> >    expected to "just work" so here I am.
>
> ah...the VIP types who 'just want it to work!' - and thus decide that
> security
> requirements are superfluous and get in the way. fine, you need to
> demonstrate the
> issue with a classic man in the middle attack - a couple of easy to boot
> systems
> exist which do that.
>
> >    Self signed or commercial makes no difference as the certificate is
> only
> >    used for server authentication.
>
> correct.
>
> >    The only difference is users having to manually trust a cert or not.
> >    Unless I am wrong.
>
> I would seriously advise that you look to having the right security in
> place and avoid
> users/clients having to configure their systems - ie an 802.1X deployment
> tool (such
> as XpressConnect from CloudPath) which will do all the work/configuration
> and installation
> of a CA for you as per your requirements - multi-platform and will do
> wireless and wired.
> (there are alternatives but none that are as feature-rich and support as
> many clients)
>

Will definitely look into that.
The difficulty is that some of the users are so remote from us that our
only encounter with them is seeing a log entry.
This is a global solution very removed from the local tech team, only used
to let roaming users on the wireless network.
We are providing a radius so they don't have to maintain a full copy of all
the users in the network (network of companies).

It's a continuous headache for us.



> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Bertalan Voros
m: 07932858025
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130125/6589bae5/attachment.html>

More information about the Freeradius-Users mailing list