Freeradius + Active Directory

Rowley, Mathew Mathew_Rowley at cable.comcast.com
Thu Oct 21 19:40:48 CEST 2010


I am kind of confused - one of our use cases is having our wireless
infrastructure authenticating through freeradius and in the end AD. Why
would it matter that freeradius uses rlm_krb5? Wouldn¹t it look something
like:

User----AP----Controller----freeradius----AD
  Anything-auth        radius       kerberos
Controller configured




On 10/21/10 9:16 AM, "Phil Mayers" <p.mayers at imperial.ac.uk> wrote:

>On 21/10/10 15:50, Rowley, Mathew wrote:
>> Ah, that is true. I never though that deeply into it, and only did a
>>POC.
>> Is the downfall of doing things this way that passwords must be sent in
>> the clear?
>
>Not really. The User-Password radius field is "encrypted" with the
>shared secret, which is reasonable (though not excellent) security.
>
>For wireless/wired 802.1x users, the issue is that the windows
>supplicant does not *support* EAP-TTLS/PAP. It only supports
>EAP-PEAP/MS-CHAP, so rlm_krb5 is no use in this (common) case.
>
>As I say, if you're just checking PAP it may meet your needs.





More information about the Freeradius-Users mailing list