Stieven.Struyf@komatsu.eu wrote: ... Please don't send HTML to the list.
I am implementing 802.1x on our network. The easiest solution to do this is by using "reversible passwords" in active directory
That isn't necessary.
Only other way is by using kerberos.
That's impossible. Kerberos doesn't do MS-CHAP, which is the authentication protocol used by Windows clients for 802.1x Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/23/2006 04:51:59 PM:
Stieven.Struyf@komatsu.eu wrote: ...
Please don't send HTML to the list. i know, but it was related to my question and the info i already gathered.
I am implementing 802.1x on our network. The easiest solution to do this is by using "reversible passwords" in active directory
That isn't necessary.
Only other way is by using kerberos.
That's impossible. Kerberos doesn't do MS-CHAP, which is the authentication protocol used by Windows clients for 802.1x
What other setup can you recommend with minimal account administration? Can you argument why (not) to store password with reversible encryption in AD.
Stieven.Struyf@komatsu.eu wrote:
What other setup can you recommend with minimal account administration?
Use ntlm_auth. There are any number of HOWTO's on doing this, including the Wiki and my web site.
Can you argument why (not) to store password with reversible encryption in AD.
Because it doesn't do anything useful. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Can't use that as an argument, mickeysoft strongly recommends to leave it disabled, and i'm not the windows admin. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 "Alan DeKok" <aland@deployingradius.com> Sent by: freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org 10/24/2006 05:52 PM Please respond to FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc Subject Re: rlm_krb5 Stieven.Struyf@komatsu.eu wrote:
What other setup can you recommend with minimal account administration?
Use ntlm_auth. There are any number of HOWTO's on doing this, including the Wiki and my web site.
Can you argument why (not) to store password with reversible encryption in AD.
Because it doesn't do anything useful. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stieven.Struyf@komatsu.eu wrote:
Can't use that as an argument, mickeysoft strongly recommends to leave it disabled, and i'm not the windows admin.
Don't send HTML to the list. As Alan has tried to explain, the "Reversible Encryption" flag in AD is not needed. So you don't need to change anything. Just setup Samba on your machine, join the domain, and configure FreeRadius to use the "ntlm_auth" helper in the "mschap" module. This is documented lots of places. Use google.
participants (3)
-
Alan DeKok -
Phil Mayers -
Stieven.Struyf@komatsu.eu