Expired Active Directory Passwords & Wireless Authentication
Jason_Agress at newton.k12.ma.us
Wed Oct 10 13:50:31 CEST 2012
This is very promising! Thank you!
Is there any significant downside to using EAP-TTLS/PAP over PEAP?
FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
>On 10/10/2012 03:21 AM, Jason Agress wrote:
>> Will that allow successful RADIUS authentication - and, therefore
>> wireless access - before the password change is initiated? Because our
>> clients are Macs that won't prompt for password change until after they
>> are connected to the wireless and authenticating against AD.
>Ah. Then no, mschap password changes won't help. FreeRADIUS just calls
>out to AD to auth users. If AD refuses to auth because the password is
>expired, the only thing you can do is a password change, which requires
>Since you're using Macs, you do have one option - change your EAP method
>to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth
>types you can "force" an accept on. Other auth types use
>challenge/response methods that require both side to prove to each other
>that they know the credentials.
>To implement this, you'd:
> 1. Install FreeRADIUS
> 2. Get EAP working with a local user
> 3. Get EAP working with AD users via Samba
>Everything up to this point is documented - see the wiki or
>deployingradius.com. Once you've got that far, you need to setup two
> * TTLS
> * A script to auth PAP against AD, wrapping ntlm_auth
>The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails,
>check for "expired" and force a success.
>Anyway - if you're willing to move from PEAP to TTLS, get the basics
>working then if you need advice, ask here again - people will be glad to
>help. It's relatively straightforward, but all the pieces might not be
>documented in obvious places.
>List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users