Thank you all for your replies. Our passwords are SALTED SHA1 encoded, so the chart you so kindly directed me to states we would have to use EAP-GTC with PAP. Seems I have quite a steep learning curve in a short amount of time.



On Wed, May 22, 2013 at 12:13 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 05/22/2013 12:58 AM, Tena Gore wrote:

I'd like to verify that I'm on the right track here with setting up the
protocols and types to use.

See:

http://deployingradius.com/documents/protocols/compatibility.html

We have to use PAP because of not having clear text passwords?

Well, you said what it's wasn't, but didn't say what it *was*.

MSCHAP requires the NT hash, or the cleartext to generate the NT hash.

If you have a crypt (old or new style) then yes, you will need to use PAP.

To avoid client certificates, we can use PEAP type of EAP?

PEAP does not support PAP, only MSCHAP.

To use PAP you must use EAP-TTLS. This isn't supported on Windows <= 7 without 3rd party software.

Also, we have a wildcard domain SSL certificate, can this be used or do
we have to create a new one for this purpose on the server?

People have reported problems with wildcard certs and windows clients. See the list archives.

Is there a recommended configuration for this type of deployment? Do you
have any tips or tricks that would make our deployment go smoother?

"Recommended" would be to move to store plaintext passwords, which will let you use the full variety of EAP methods.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html