Hi,
What we are wondering is if its possible to still have requests come through to our freeradius box, and instead of providing the certificate and proxying the contents of the inner tunnel to the AD box.. if its possible to simply proxy the entire request, PEAP/MSCHAP and all directly to their AD servers? They are hesitant to allow our freeradius box to join the domain, and if its doable, a workaround would be the preferred route.
yes, sure you can - they'll have to run IAS or NPS (ad2003 or ad2008 etc) and then you simply proxy the whole shaboodle off to them to deal with - then you dont need to play around with ntlm_auth etc etc. of course, they'll have to put required certs onto their auth system but thats a minor issue. alan