On Dec 13, 2015, at 5:59 PM, Arjan Sinnige <a.sinnige@sae.edu> wrote:
I've been asked to research the possibility to link radius to an external login server.(out of my control)
OK.
The external server needs a username and cleartext password via a php script and will only reply 'ok' or 'fail'. It will not send back a password or anything.
How does it send a PHP script?
The devices we need to authenticate are numerous. From ipads, iphones, windows phones & android to all iterations of windows (7 and onwards), OSX & linux computers. Most if not all of them are students user devices which cannot be pre-configured. So it needs to work "out of the box".
Good luck...
Now I can get this to work easily if I authenticate against a local LDAP server which has NTLM and local user passwd accounts. All of these devices can do EAP-TTLS-Mschapv2 or EAP-PEAP-Mschapv2 but not all of them do TTLS-PAP (Windows & Windows phone etc...)
Exactly.
It is not possible with this setup to always get a cleartext password, or is it ?
It's not always possible to get a cleartext password.
In your valued opinion : Can it be done or should I spend my time on advising and creating a custom capture portal for the network ?
It's impossible in general. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.