Okies long day trying to deploy radius, i think it might be in a working state though. <br><br>Basically I had to use radius 1.7 something as it was in the repos. If problems persist Ill try and compile a binary up for the distro they are using (pclinuxOS). Off topic I agree with people that a server orientated OS such as centos would make life far easier more often. Anyways PclinuxOS it is currently. Initially got ldap up and running and local radtest worked well with a user from the directory, when i tried getting my iphone to connect problems ensued. quickly worked out that the iphone defaults to sending a PEAP eap request, which as your documentation states would stop the ldap bit as i hadnt touched anything to do with TLS, PEAP etc at that point. <br>
<br> I have NTPassword in my ldap directory so i could use PEAP, however maybe through miss-configuration by me or the fact that my entry does not have a preceding 0x. Instead it just has 32digits without the preceding two characters could be why this wasnt working. However my ldap field is set to max 32chars long so not sure how to append these two characters and changing alot of entries if i fuzz up will be very bad news.<br>
<br> So instead went with TTLS. This time i started from scratch as im convinced by now the config files were probally messed over, and this time when i set it up i still find that i can query ldap user with radtest locally which is good. Havnt tried the wireless point yet as the iphone requires a profile sent to it from the iphone configurator tool to set TTLS. However it also asks for inner authetication protocol. Ive set this to PAP as im assuming that ms-chap is going to require NT-password. Is this likely to work or do i have to do something to configure PAP. I realise if i get TTLS up and running im going to have to create some deployment stuff to get it out there but i will cross that bridge when it comes to it. <br>
<br> Will post up if i get anymore problems tomorrow when i try the profiled iphone. As if it doesnt work I'm not sure what would be causing these problems so will send my configs and errors tomorrow. <br><br> Atm the setup is like this: openldap directory and freeradius 1.7 on same server (xen), freeradius refers to ldap by localhost. Linksys wireless access point in enterprise mix mode which only has an ip for radius server and port options. Linksys point added to client.conf. Iphone for testing.<br>
<br><div class="gmail_quote">On Sun, Apr 5, 2009 at 10:24 PM, Alexander Clouter <span dir="ltr"><<a href="mailto:alex@digriz.org.uk">alex@digriz.org.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">daniel knox <<a href="mailto:mail@dknox.co.uk">mail@dknox.co.uk</a>> wrote:<br>
><br>
</div><div class="im">> Lol just actually read some stuff on WPA and learnt abit more about EAP. I<br>
> realise now that TTLS does not require client certificates like I previously<br>
> thought only the server. Apologies for this miss understanding. Although I<br>
> do realise now that SecureW2 would be required to give my Windows users the<br>
> ability to access this. Although this may not be to difficult to distribute<br>
> to them I would have to look into these possible issues.<br>
><br>
</div>You use server certificates for PEAP too, it's madness not to use a<br>
server certificate in either case. If you do not then the clients are<br>
more than happy to dish out user credentials to anyone who asks.<br>
<br>
I prefer TTLS as although PEAP is already built into Mac OS X and<br>
Windows, neither can be easily autoconfigured with some kind of priming<br>
script[1]. We use TTLS as it's not braindead[2] and in the case of<br>
SecureW2 it can be trivially autoconfigured. If you tie it in with a<br>
NSIS script then you can do some *really* nice things for wireless<br>
workstation priming for your Windows userbase.<br>
<br>
Cheers<br>
<br>
[1] not that I know of anyway, and Mac OS X 10.5 seems to have dropped<br>
support for wireless profile importing<br>
[2] well from my perspective, I'm sure implentators out their might say<br>
otherwise<br>
<font color="#888888"><br>
--<br>
Alexander Clouter<br>
.sigmonster says: Neil Armstrong tripped.<br>
</font><div><div></div><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>