I'd like to move to WPA Enterprise EAP/PEAP from EAP/TLS. That way there are no client certificates to deal with and I can instead just use usernames/passwords. I don't, however, want either OpenLDAP or AD to do it. Both would be overkill for my needs and just add an extra layer to maintain. Instead I want to use either PAM or MySQL in their place. Is this even possible? If so how? I haven't seen any documentation that definitively explains this one way or another. Testing I'm able to successfully authenticate using the radtest program. From a client (both Windows and Linux) I get invalid username/password errors. Debug mode I see the username being passed correctly along with other information but no password, encrypted or otherwise. Maybe this is by design? I haven't seen what working PEAP debug messages look like so I have no frame of reference.
Matt Goebel wrote:
I'd like to move to WPA Enterprise EAP/PEAP from EAP/TLS. That way there are no client certificates to deal with and I can instead just use usernames/passwords. I don't, however, want either OpenLDAP or AD to do it. Both would be overkill for my needs and just add an extra layer to maintain. Instead I want to use either PAM or MySQL in their place. Is this even possible?
PAM, no. MySQL, yes.
If so how? I haven't seen any documentation that definitively explains this one way or another. Testing I'm able to successfully authenticate using the radtest program.
If you can get PAP authentication working, and you have TLS working, you can get PEAP working with minimal effort.
From a client (both Windows and Linux) I get invalid username/password errors. Debug mode I see the username being passed correctly along with other information but no password, encrypted or otherwise.
That's how PEAP works. You may try posting the debug output here, as suggested in the FAQ, INSTALL, README, and daily on this list.
Maybe this is by design? I haven't seen what working PEAP debug messages look like so I have no frame of reference.
We have. So... why don't you post them here? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Matt Goebel