EAP-TLS and EAP-TTLS/MSCHAPv2 in parralel...possible ?
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 28 10:53:17 CET 2014
On 28/02/14 09:11, Ben wrote:
> Hi,
>
> I've got a solution currently in place that works beautifully
> authenticating users with certificates using EAP-TLS.
>
> Unfortunatley, I need to start catering for users who have, shall we
> say, "limited" endpoints that only support TTLS/MSCHAPv2 type
This is a standard, even trivial, config. See:
http://deployingradius.com/
...and follow the HOWTOs section.
Basically, if you have EAP-TLS working, it's likely that the only thing
you need to do is ensure the server can get at the password or
compatible hash (for MSCHAP, NT hash only) and it'll work.
Problem is you've been a bit vague. What have you tried, if anything?
What version of the server are you running?
> will happen .... e.g. the following comment ....
>
> # Note that this means "check plain-text password against
> # the ldap database", which means that EAP won't work,
> # as it does not supply a plain-text password.
That commend refers to forcing authentication via LDAP bind. If you
don't do that, you won't have this problem.
Suggest:
1. Ensuring you're on a recent version of the server, 2.2.3
2. Follow the deployingradius docs linked above on a test server
3. When you understand how it has all fit together, migrate the config
to your production system, with your existing TLS CA/certs
As with all systems tasks, if you're new to it then make small changes,
check your results into version control after each success, follow the docs.
If you've got specific questions, people can give more specific answers.
Good luck,
More information about the Freeradius-Users
mailing list