PEAP and domain logon

K. Hoercher wbhoer at gmail.com
Thu Sep 21 13:23:23 CEST 2006


Hi,

just to nitpick around a bit:

the description on p. 11 looks a bit confused (or I am). If the part
"Specify now the network[...]"  is meant to mean that the supplicants
are somehow checked to be in that subnet (talking about "Any
computers") this would be false imho.

As the further up  mentioning of "add a first Cisco switch" might be
conjured to mean it is needed, even if a broader definition of a
subnet of APs  (clients) follows, that would be false in the same way.
To put it short, check with freeradius doc (man 5 clients.conf) and
don't rely on the tutorial's say-so.

Afaik the suggested deselecting of "Validate Server Certificate" on p.
18 provides for not needing to install the root ca cert, but at the
cost of pretty much defying the "protected" in peap.

On 9/20/06, Christoffer Dahl Petersen <cdp at trynix.dk> wrote:
>  I have checked the option "automatically use my windows logon name and
> password..." on my XP Clients, but only users who has been logged in before
> can log in again, because of their cached credentials. To me is the "chicken
> or the egg" dilemma, does anyone have a solution for this issue?

Sorry for not being helpful to your actual problem (anyways, it
doesn't seem to be a freeradius one *g*).  Some thoughts are:
- Did you check for the (lately more often discussed here) machine
auth possibility.
- Some evil registry hacks concerning EAPOL (caching, usage of credentials)

regards
K. Hoercher



More information about the Freeradius-Users mailing list