On Feb 3, 2016, at 12:31 PM, Greg Mischel Smith <gregms@gmail.com> wrote:
Honestly, I haven't looked much at EAP-TTLS yet, but am starting to. If I understand correctly, this tends to be more certificate based authentication.
No. EAP-TLS requires client certs. EAP-TTLS does not.
We have a lot of personal cell phones. My presumption would be that we would have to load certificates onto these devices, is that correct?
No.
If that will get us around our problem, I'm open to that, but prefer not due to complexity. I'm just starting to look for documentations suggesting how to do this. It would be going through a Cisco WLC. I'm seeing EAP-TLS option on the WLC, but nothing specific with EAP-TTLS.
You shouldn't need to configure the access point for EAP-TLS versus EAP-TTLS. They should all just work.
And in all honesty, if freeradius isn't the best solution for what we're trying to do,
FreeRADIUS is a RADIUS server. It doesn't manage 802.1X configurations on user machines. FreeRADIUS does more, and is more flexible than any commercial RADIUS server.
if we need to purchase something like Cisco ACS, that would be on the table, I just know having OpenLDAP with plaintext passwords just isn't an option (even with ACL's on them).
http://deployingradius.com/documents/protocols/compatibility.html That table outlines the limitations for *all* RADIUS servers. These limitations are determined by the authentication method, not by the RADIUS server implementation. You will run into identical limitations with ACS. Their sales people may lie to you, but we won't. Alan DeKok.