a freeradious/wireless solution for a school

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Jan 25 21:44:59 CET 2007


Hi,

> So then it seems to me that my best solution would then be to implement
> either an EAP-PEAP or EAP-TTLS solution authenticating against either my

PEAP or TTLS? no reason why you cannot have both. FreeRADIUS is quite happy doing both 
at same time... especially if you use MSCHAPv2 as the inner auth for the TTLS.
its the same ntlm_auth line then too.

> and passwords.  What would, in your opinion, be better?  TTLS or PEAP?

its down to philosophy more than anything - until the proof that PEAP can be broken
with a simple tool ;-) - some implementations of PEAP are known to be 'leaky' - they
leak some of the challenge/response. that said. if you want anonymity, TTLS is the only
way - can use an anoymous auto identity. with most PEAP, you inner username is thrown
to the outer identity by default.

> Also, if I had a laptop for school-only use (say, for example, a laptop that
> we provide for the users), in this case the wireless connection would ned to
> be establish without user input (for example, have he machine connected
> already so that the user can log into the machine through windows).  Could I

if you use the AD, you can configure it to use machine authentication...in this
case the machine ID is in the AD and the system logs in before the user - now
you can have active, non-cached user logins too. 

alan



More information about the Freeradius-Users mailing list