On Wed, Apr 09, 2014 at 08:13:27PM -0400, John McCarthy wrote:
The other option that is appealing is TTLS/PAP. I spun up a server at the end of the day today to start testing that out. Does it play well with active directory using Kerberos? That option sounds nice because traffic is encrypted at both ends of the FreeRADIUS server.
Just note that Windows 7 and before have no built-in support for TTLS/PAP, so you have to use 3rd party supplicant software. Windows 8 (and MacOS and Linux and most other things) support it. The reason why PEAP/EAP-MSCHAPv2 is so prevalent is that, if you want to log in with a username and password, it is essentially the only mechanism that Microsoft have supported until recently, and nobody generally wants to faff around with either TLS certificate management or installing other supplicants. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>