<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)">Thank you all for your replies. Our passwords are SALTED SHA1 encoded, so the chart you so kindly directed me to states we would have to use EAP-GTC with PAP. Seems I have quite a steep learning curve in a short amount of time.<br>
<br><br></div><div class="gmail_extra"><br>On Wed, May 22, 2013 at 12:13 AM, Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span> wrote:<br><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 05/22/2013 12:58 AM, Tena Gore wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'd like to verify that I'm on the right track here with setting up the<br>
protocols and types to use.<br>
</blockquote>
<br>
See:<br>
<br>
<a href="http://deployingradius.com/documents/protocols/compatibility.html" target="_blank">http://deployingradius.com/<u></u>documents/protocols/<u></u>compatibility.html</a><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
We have to use PAP because of not having clear text passwords?<br>
</blockquote>
<br>
Well, you said what it's wasn't, but didn't say what it *was*.<br>
<br>
MSCHAP requires the NT hash, or the cleartext to generate the NT hash.<br>
<br>
If you have a crypt (old or new style) then yes, you will need to use PAP.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
To avoid client certificates, we can use PEAP type of EAP?<br>
</blockquote>
<br>
PEAP does not support PAP, only MSCHAP.<br>
<br>
To use PAP you must use EAP-TTLS. This isn't supported on Windows <= 7 without 3rd party software.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Also, we have a wildcard domain SSL certificate, can this be used or do<br>
we have to create a new one for this purpose on the server?<br>
</blockquote>
<br>
People have reported problems with wildcard certs and windows clients. See the list archives.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Is there a recommended configuration for this type of deployment? Do you<br>
have any tips or tricks that would make our deployment go smoother?<br>
</blockquote>
<br>
"Recommended" would be to move to store plaintext passwords, which will let you use the full variety of EAP methods.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</blockquote></div><br></div></div>