EAP-TTLS (PAP) with Win2K3 domain not working

Petar Marinkovic highl1 at gmail.com
Fri Jun 26 13:49:11 CEST 2009


Hi Ivan,

All of this is for testing purposes. So, I just need all of those methods to
work, if it can't work with domain, then cleartext password will be fine.
Can you give me some more info about seting up TTLS-GTC, testing is being
done on Windows XP. Also, for EAP-TTLS with chap, enabling user is enough,
right?

Sorry if some of my questiosn doesn't make sense, still new to all of this

On Fri, Jun 26, 2009 at 13:44, Ivan Kalik <tnt at kalik.net> wrote:

> > What's left for me, I would like to authenticate users in domain with
> LEAP
> > and TTLS-GTC.
>
> Leap is rubbish and shouldn't be used ("Cisco LEAP, similar to WEP, has
> had well-known security weaknesses since 2003 involving offline password
> cracking."). For TTLS-GTC all you need is a supplicant that supports it. I
> know only of wpa_supplicant.
>
> > Also, what's needed to make EAP-TTLS with CHAP work?
>
> Supplicant that supports it.
>
> > I know
> > you can't use ntlm_auth for that, so what do I need to put inside users
> > file? Will creating test user, for example, test Cleartext-Password:=
> > "test"
> > work?
>
> Yes, chap can't be made to work with AD; it will work fine with clear
> passwords in users file. But storing passwords in several places (AD,
> users file, ...) is a bit of an administration nightmare. With AD you tend
> to change passwords every 6 weeks - how are you going to keep other
> passwords in sync?
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090626/dbb47066/attachment.html>


More information about the Freeradius-Users mailing list