On 04/09/2020 16:51, Martin Pauly wrote:
Am 02.09.20 um 10:55 schrieb Xand Meaden via Freeradius-Users:
NPS RADIUS servers which are configured to only support PEAP-MSCHAP-V2 The NPS surely is a member of a windows domain, right? If the admins of that domain allowed your FR as a member (i.e. a samba instance on your server), you could feed the passwords directly to mschap/ntlm_auth. This _might_ increase performance over external wpa_supplicant or eapol_test as using this functionality no longer requires spawning an external process. But extending an AD domain like that may pose security issues of its own.
Thanks - we've been using AD for authentication directly, but are looking to switch to the NPS server as it's tied into a multi-factor authentication system used by other systems. From Alan's suggestion I've got something working using the FreeRADIUS Python module and eapol_test but I'm not completely happy with how it's cobbled together :) Regards, Xand -- Xand Meaden | Senior Linux Engineer Faculty of Natural & Mathematical Sciences King's College London