Is there any other ways to authenticate against Active Directory with FreeRADIUS? is it possible to authenticate using Kerberos instead of ntlm or ms-chap. Maybe EAP-TLS.
On 04/09/2014 12:40 PM, John McCarthy wrote:
Is there any other ways to authenticate against Active Directory with FreeRADIUS?
is it possible to authenticate using Kerberos instead of ntlm or ms-chap. Maybe EAP-TLS.
The problem with 802.1x and clients is that not every authentication methodology is supported by every client. I haven't done any hybrid authentications yet (i.e. both EAP-PEAP-MSChapV2 and EAP-TTLS) but most certainly radius can handle that with the right configuration. You should definitely evaluate your client base and their capabilities before determining which auth protocols to support or not. - John Douglass Sr. Systems IT/Architect Georgia Institute of Technology
On Wed, Apr 09, 2014 at 12:40:20PM -0400, John McCarthy wrote:
Is there any other ways to authenticate against Active Directory with FreeRADIUS?
is it possible to authenticate using Kerberos instead of ntlm or ms-chap. Maybe EAP-TLS.
EAP-TLS is fine, as long as you're willing to accept the overhead of certificate management (which is easier using AD), though note that you are then changing from per-user authentication to per-machine authentication, which may not be what you want/need. If you're using Windows on the clients, that's about the only other option unless you start to use a 3rd party 802.1X supplicant (or Windows >= 8). There may be other options with different client operating systems. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
John Douglass -
John McCarthy -
Matthew Newton