Hi,
I have two questions for my understanding. I set up FreeRADIUS to authenticate against our Active Directory. I read in the readme that this couldn´t be done with the ldap module, so I did it with SAMBA. It works fine for MSCHAPv2. But nowhere stands why it couldn’t be done with the ldap module. Can anybody give a technical explanation? As I read the ldap module can only work with cleartext passwords and eap is encrypted. But why can’t it work with. A technical explanation would be nice.
it depends what you want to do with the AP and ldap - you can use it to check groups membership etc.
As I wrote I setted FreeRADIUS up to work fine with the Active Directory. I configured the eap.conf to work with PEAP and MSCHAPv2. When I configured it in this way I don’t need certificates? The certificates aren’t checked by the clients or server aren’t they? Do I need certificates when I use PEAP with MSCHAPv2 or I am doing something wrong?
PEAP will show the client 2 certificates...the server certificate and the CA of that certificate (and intermediates if there are any). a basic freeradius install will have 2 snake-oil certs (local CA and server sined by that CA). it is up to you to ensure that clients are configured to check/verify the certificates. alan