John Douglass wrote:
I agree, EAP-PEAP-MSCHAPv2 isn't great. But for 100% of our WPA-Enterprise clients, they all support EAP-PEAP-MSCHAPv2 natively. With central authentication (passwords) for 30k users, having an additional password or an additional password store is not ideal.
Having a password store that *works* is useful.
If we agree that AD (EAP-PEAP-MSCHAPv2) is far from ideal, what other EAP types (outside of EAP-PEAP-TLS) do you recommend for end user authentication that is supported by native Windows, iOS, Android, and OSX clients?
The issue isn't really the EAP type. It's that Active Directory is being mean to you. Most modern systems support TTLS. That will work better. But XP doesn't support it.
I imagine if there were a better option with similar properties and ties to central authentication, then we would all flock to it.
If there was a system to pull passwords out of Active Directory, you could set up a "cron" job once a day to do that. Then for authentication, do: if (ldap says password was reset today) { do ntlm_auth } else { use the cached passwords } For the few users who change their passwords, ntlm_auth is fine. For everyone else, they use a real database. It would be MUCH faster, and a LOT more stable than native Active Directory. Alan DeKok.