freeradius, samba, AD peap/mschap-v2 redundancy and Certificate

schilling schilling2006 at gmail.com
Wed Sep 15 20:07:16 CEST 2010


Hi,

We are thinking of authenticate users via 802.1x/mschapv2 with
freeradius, samba and Active Directory. Is the following a good
redundancy design? If not, which one is better?

radius1 1.1.1.1, radius2 2.2.2.2
Active Directory Domain Controllers 3.3.3.3 4.4.4.4

put 1.1.1.1 and 2.2.2.2 as primary/secondary radius server list in
switch/AP/controllers.

On radius1
krb5.conf
    kdc = 3.3.3.3
    kdc = 4.4.4.4
smb.conf
    password server = 3.3.3.3, 4.4.4.4

On radius2
krb5.conf
    kdc = 4.4.4.4
    kdc = 3.3.3.3
smb.conf
    password server = 4.4.4.4, 3.3.3.3

For certificate, do we need a server certificate for both radius1 and
radius2 if we want supplicant to verify the server certificate?

Thanks,

Schilling



More information about the Freeradius-Users mailing list