On Tue, Apr 15, 2014 at 08:41:51AM -0400, Ethan Chrisawn wrote:
I've been searching for a while now, and I can't seem to find a good answer. I have an ldap server and I would like to authenticate my users wirelessly without generating individual client certs for every device.
I heard that PEAP doesn't require the manual creation of client certs, but I can't use that with ldap because I can't pass it a cleartext password, right? What other options do I have to accomplish what I'm after?
Will your LDAP server give FreeRADIUS the cleartext password, or the NTLM password? If yes, then you can use PEAP/MSCHAPv2 or TTLS/MSCHAPv2. If no, then you're probably limited to TTLS/PAP. It depends on what your LDAP server will give access to: http://deployingradius.com/documents/protocols/compatibility.html If you're running AD, then you'll have to join FreeRADIUS to the domain and use ntlm_auth. If your LDAP server won't give access to any password, and you want to auth by binding to it, then TTLS/PAP is your only option. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>