need help & advice getting started with freeradius
Alexander Clouter
alex at digriz.org.uk
Sun Apr 5 21:45:47 CEST 2009
tnt at kalik.net wrote:
>
>>In my scenario I would like to use PEAP if possible but not require the user
>>client to have a certificate, just the radius-server (which is why i believe
>>the TTLS solution will be in-efficient here as i would have to deal with
>>handy out client certificates to hundreds of users). And to be asked thern
>>their username and password to authticate onto our wireless. Would combining
>>these two guides work to get these two intial sets up and running?
>>
>
TTLS is *not* an admin hassle, TLS is (client side certificates). TTLS
means you put a verifiable server certificate on the *server* end that
the client can verify and know who it is talking to, then you can safely
even send the password in plain text.
> PEAP will require passwords stored as clear text or nt hash. If your
> passwords are stored as something else they will have to be changed.
>
...or...you use EAP-TTLS and get the client to send the passwords in
plaintext and then do an LDAP bind() to check if the credentials are
correct.
Once you are doing this you can one day get around to (if you want to)
putting in plaintext passwords into your LDAP database that FreeRADIUS
can use and abuse.
> As for combining freeradius and ldap prehaps you should read
> freeradius documentation first (wiki or doc/rlm_ldap from the
> download) and then see is there any need to bother wiyh third party
> stuff.
>
Well PEAP without AD means you have to jump through a lot of hoops
manually configuring each client by hand. With something like SecureW2
you include a 'seeding' file and it will do all the hard manual priming.
This is all overlooking that PEAP is horrible as if you want to play
with OTP's or other fun custom things, good luck doing that with PEAP.
Cheers
--
Alexander Clouter
.sigmonster says: Marriage causes dating problems.
More information about the Freeradius-Users
mailing list