Expired Active Directory Passwords & Wireless Authentication
Jason Agress
Jason_Agress at newton.k12.ma.us
Wed Oct 10 13:50:31 CEST 2012
This is very promising! Thank you!
Is there any significant downside to using EAP-TTLS/PAP over PEAP?
FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
writes:
>On 10/10/2012 03:21 AM, Jason Agress wrote:
>> Will that allow successful RADIUS authentication - and, therefore
>> wireless access - before the password change is initiated? Because our
>> clients are Macs that won't prompt for password change until after they
>> are connected to the wireless and authenticating against AD.
>
>Ah. Then no, mschap password changes won't help. FreeRADIUS just calls
>out to AD to auth users. If AD refuses to auth because the password is
>expired, the only thing you can do is a password change, which requires
>client support.
>
>Since you're using Macs, you do have one option - change your EAP method
>to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth
>types you can "force" an accept on. Other auth types use
>challenge/response methods that require both side to prove to each other
>that they know the credentials.
>
>To implement this, you'd:
>
> 1. Install FreeRADIUS
> 2. Get EAP working with a local user
> 3. Get EAP working with AD users via Samba
>
>Everything up to this point is documented - see the wiki or
>deployingradius.com. Once you've got that far, you need to setup two
>things:
>
> * TTLS
> * A script to auth PAP against AD, wrapping ntlm_auth
>
>The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails,
>check for "expired" and force a success.
>
>Anyway - if you're willing to move from PEAP to TTLS, get the basics
>working then if you need advice, ask here again - people will be glad to
>help. It's relatively straightforward, but all the pieces might not be
>documented in obvious places.
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121010/2b0ca280/attachment-0001.html>
More information about the Freeradius-Users
mailing list