<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title></title>
<style type="text/css">
<!--
body{margin-left:10px;margin-right:10px;margin-top:10px;margin-bottom:10px;}
-->
</style>
</head>
<body marginleft="10" marginright="10" margintop="10" marginbottom="10">
<div align="left" style="text-align:left;"><font face="Lucida Grande" size="+0" color="#000000" style="font-family:Lucida Grande;font-size:12pt;color:#000000;">This is very promising! Thank you!</font></div>
<br />
<div align="left" style="text-align:left;"><font face="Lucida Grande" size="+0" color="#000000" style="font-family:Lucida Grande;font-size:12pt;color:#000000;">Is there any significant downside to using EAP-TTLS/PAP over PEAP?</font></div>
<br />
<div align="left" style="text-align:left;"><font face="Lucida Grande" size="+0" color="#000000" style="font-family:Lucida Grande;font-size:10pt;color:#000000;"><b>FreeRadius users mailing list <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>> writes:</b></font></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">On 10/10/2012 03:21 AM, Jason Agress wrote:</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#0000DD" style="font-family:Times New Roman;font-size:12pt;color:#0000DD;">> Will that allow successful RADIUS authentication - and, therefore</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#0000DD" style="font-family:Times New Roman;font-size:12pt;color:#0000DD;">> wireless access - before the password change is initiated? Because our</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#0000DD" style="font-family:Times New Roman;font-size:12pt;color:#0000DD;">> clients are Macs that won't prompt for password change until after they</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#0000DD" style="font-family:Times New Roman;font-size:12pt;color:#0000DD;">> are connected to the wireless and authenticating against AD.</font></span></div>
<br />
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">Ah. Then no, mschap password changes won't help. FreeRADIUS just calls </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">out to AD to auth users. If AD refuses to auth because the password is </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">expired, the only thing you can do is a password change, which requires </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">client support.</font></span></div>
<br />
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">Since you're using Macs, you do have one option - change your EAP method </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">types you can "force" an accept on. Other auth types use </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">challenge/response methods that require both side to prove to each other </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">that they know the credentials.</font></span></div>
<br />
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">To implement this, you'd:</font></span></div>
<br />
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">  1. Install FreeRADIUS</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">  2. Get EAP working with a local user</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">  3. Get EAP working with AD users via Samba</font></span></div>
<br />
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">Everything up to this point is documented - see the wiki or </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">deployingradius.com. Once you've got that far, you need to setup two things:</font></span></div>
<br />
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">  * TTLS</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">  * A script to auth PAP against AD, wrapping ntlm_auth</font></span></div>
<br />
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">check for "expired" and force a success.</font></span></div>
<br />
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">Anyway - if you're willing to move from PEAP to TTLS, get the basics </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">working then if you need advice, ask here again - people will be glad to </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">help. It's relatively straightforward, but all the pieces might not be </font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">documented in obvious places.</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">-</font></span></div>
<div align="left" style="text-align:left;"><span style="background-color:#d0d0d0;"><font face="Times New Roman" size="+0" color="#000000" style="font-family:Times New Roman;font-size:12pt;color:#000000;">List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></font></span></div>
<br />
<br/>
</body>
</html>