RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Just confirming that I've tested this in the past and it works, but I believe the poster of the article is dubious about a production environment. When I tried it on wifi it took a second or so more to authenticate for some reason, so we eventually went with eap-tls instead because of this and because it was simpler. I did also get quite a few "The EAP message did not complete" but that could be coincidental. -----Original Message----- From: freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 20 May 2013 10:51 To: freeradius-users@lists.freeradius.org Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? On 20/05/13 09:02, Robert wrote:
Hi
I use freeradius v2.1.10 in Debian Squeeze 6.0.1.
I want to know if freeradius supports the following methods :
See here: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-micro soft-soh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, May 21, 2013 at 08:03:48AM +0100, Franks Andy (RLZ) IT Systems Engineer wrote:
Just confirming that I've tested this in the past and it works, but I believe the poster of the article is dubious about a production environment.
Not at all - we are running it in production. The warning at the bottom is to make you think about what you're doing first, rather than to blindly copy my examples and then open yourself up to security issues that you haven't thought through. The examples are stripped down to their utter bare minimum - which is unlikely to be what you want in production.
When I tried it on wifi it took a second or so more to authenticate for some reason, so we eventually went with eap-tls instead because of this and because it was simpler. I did also get quite a few "The EAP message did not complete" but that could be coincidental.
It's been running fine here with a lot of laptops for over a year now. We usually see the "EAP did not complete" errors from bad wireless signals or misconfigured EAP timers. As the article says - the only real benefit is to get SoH data from the device. If you don't want/need that, you're fine with plain EAP-TLS (and with less round trips, it will auth faster, too). Cheers Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
Franks Andy (RLZ) IT Systems Engineer -
Matthew Newton