more EAP/TTLS trouble
Alan DeKok
aland at deployingradius.com
Wed May 30 14:52:41 CEST 2012
Steve Hopps wrote:
> We're trying to use an access point configured for wpa2 using freeradius
> to authenticate with openldap. For Android and Linux it works out of the
> box with eap/ttls and pap. So we used Pam cause it already works with
> ldap. I didn't know other encryption types wouldn't work with Pam.
This confuses me. Why use PAM when FreeRADIUS can use LDAP directly?
> IPhones work with a custom config profile that's easily installed.
> However, our most significant hurdle is windows machines. Who would have
> guessed??? For some stupid reason Microsoft doesn't care about
> supporting all modern encryption standards. Making our staff pay for
> SecureW2 isn't an option and XSupplicant doesn't work reliably yet in
> 64bit Win7. So I'm back to trying to get mschapv2 working with peap.
> This seems impossible.
It's possible. It's easy.
(a) configure FreeRADIUS to query LDAP directly
(b) ensure that the passwords in LDAP are stored in a format
compatible with MS-CHAP.
If you can do both, then getting PEAP to work should be trivial.
In 2.1.2, you can use "radclient" to send MS-CHAP requests to the
server. Don't even THINK of trying to get PEAP to work until you have
plain old MS-CHAP working.
Alan DeKok.
More information about the Freeradius-Users
mailing list