John McCarthy wrote:
The other option that is appealing is TTLS/PAP. I spun up a server at the end of the day today to start testing that out. Does it play well with active directory using Kerberos? That option sounds nice because traffic is encrypted at both ends of the FreeRADIUS server.
TTLS + PAP will work fine with Kerberos. You'll need to edit sites-enabled/inner-tunnel, and add "krb5" to the "authenticate" section. Then, in the "authorize" section, do: if (User-Password) { update control { Auth-Type := krb5 } } Also configure the krb5 file in mods-enabled/krb5. You should have Kerberos working about 30 seconds later.
I had been doing some research to get a better understanding on how all this worked. Alan DeKok had some great references at deployingradius.com to help me understand how all this works.
Thanks. Lots of people find it useful. Alan DeKok.