EAP-TTLS (PAP) not working with NT domain - debian freeradius 1.1.7
James McOrmond
jamesm at xandros.com
Wed Mar 19 18:33:00 CET 2008
>> With that, and a few configuration options (like making sure the host was
>> connected to the domain and ntlm_auth functioned as required), i've managed
>> to get PEAP and EAP-MSCHAPv2 working fine to the ntdomain.
>>
>> EAP-TTLS works fine with an account in the "users" file that has a clear
>> text password, as well as a local /etc/password account. Ideally this
>> should work with the ntdomain as well.
>> I'm testing with a laptop running XP, with the secureW2 package installed
>> to provide TTLS.
>>
>
> if you are using EAP-TTLS/PAP then you'll need a plain text password -
> this can be done via kerberos to the AD.
This is a Samba NT domain, not AD. I do not have access to the plain
text password through Samba or LDAP.
The "Protocol and Password Compatibility" chart and the "Authenticaiton
Systems and Password Compatibility" chart from the "Deploying RADIUS:
The Book" page specifically says PAP/ntlm_auth is functional. Regular
CHAP is not because it requires the clear-text password.
> otherwise EAP-TTLS/MSCHAPv2 should work just like PEAP
>
except when testing whether EAP-TTLS works, it doesn't help much.
> i'd advise to get id of the DEFAULT Auth := System line from the users file
>
Done.. auth to the /etc/passwd accounts doesn't make much sense.
--
James A. McOrmond (jamesm at xandros.com)
Network Administrator
Xandros Corporation, Ottawa, Canada.
Morpheus: ...after a century of war I remember that which matters most:
*We are still HERE!*
More information about the Freeradius-Users
mailing list