New design/deployment of freeradius

Wed May 22 18:48:37 CEST 2013

Thank you all for your replies. Our passwords are SALTED SHA1 encoded, so
the chart you so kindly directed me to states we would have to use EAP-GTC
with PAP. Seems I have quite a steep learning curve in a short amount of
time.

On Wed, May 22, 2013 at 12:13 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> On 05/22/2013 12:58 AM, Tena Gore wrote:
>
>  I'd like to verify that I'm on the right track here with setting up the
>> protocols and types to use.
>>
>
> See:
>
> http://deployingradius.com/**documents/protocols/**compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html>
>
>  We have to use PAP because of not having clear text passwords?
>>
>
> Well, you said what it's wasn't, but didn't say what it *was*.
>
> MSCHAP requires the NT hash, or the cleartext to generate the NT hash.
>
> If you have a crypt (old or new style) then yes, you will need to use PAP.
>
>  To avoid client certificates, we can use PEAP type of EAP?
>>
>
> PEAP does not support PAP, only MSCHAP.
>
> To use PAP you must use EAP-TTLS. This isn't supported on Windows <= 7
> without 3rd party software.
>
>  Also, we have a wildcard domain SSL certificate, can this be used or do
>> we have to create a new one for this purpose on the server?
>>
>
> People have reported problems with wildcard certs and windows clients. See
> the list archives.
>
>  Is there a recommended configuration for this type of deployment? Do you
>> have any tips or tricks that would make our deployment go smoother?
>>
>
> "Recommended" would be to move to store plaintext passwords, which will
> let you use the full variety of EAP methods.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130522/d091d34a/attachment-0001.html>