Freeradius 2.1.8+Windows AD+MS-CHAP with ntlm_auth
Hi fellas, I've been working on Freeradius with XP supplicants for a while but so far I could't make it. Authentication against Active Directory works like a charm (http://deployingradius.com/documents/configuration/active_directory.html). I want to authenticate several users against AD keeping in mind the following conditions: - Not use of certificates at all. - Transparent authentication of clients in wireless networks using MS-CHAPv2 (username and password they use to authenticate against AD). I followed the tutorial above but, as I said, it does not work for me. Has someone made it works? _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
Cesar Ortega wrote:
I've been working on Freeradius with XP supplicants for a while but so far I could't make it. Authentication against Active Directory works like a charm (http://deployingradius.com/documents/configuration/active_directory.html).
That's good to hear.
I want to authenticate several users against AD keeping in mind the following conditions: - Not use of certificates at all. - Transparent authentication of clients in wireless networks using MS-CHAPv2 (username and password they use to authenticate against AD).
It's impossible. The protocols used between the PC && access point are EAP, and require TLS. If you don't want to use EAP-TTLS or EAP-PEAP, your *only* option is to re-write the software on the PC and the access point. That is... it's impossible. If you use PEAP, you only need one certificate: the server cert. Alan DeKok.
Hi,
I've been working on Freeradius with XP supplicants for a while but so far I could't make it. Authentication against Active Directory works like a charm (http://deployingradius.com/documents/configuration/active_directory.html).
whats going wrong with your windows XP clients? this isnt hard stuff really, thousands of sites use it in this way.
I want to authenticate several users against AD keeping in mind the following conditions: - Not use of certificates at all. - Transparent authentication of clients in wireless networks using MS-CHAPv2 (username and password they use to authenticate against AD).
as Alan has said, impossible. you will need at least one certificate to be involved - thats the server cert. if you are worrying about deployment of the server cert and dont care that someone else can get such a cert then just get your server cert signed by a CA that comes with windows as standard (eg some VeriSign or such...). then its just a case of configuring the eap.conf section, configuring inner-tunnel to match requirements and then configure the windows . choose PEAP, -> dont login as login ID (unless login/pass is same as AD details!) configure the trust, set the server name to the CN in your cert, tick the correct CA dont login as guest ...thats pretty much it. then radiusd -X on this list if you have issues. i mean, what could go wrong? ;-) alan
participants (3)
-
Alan Buxey -
Alan DeKok -
Cesar Ortega