Expired Active Directory Passwords & Wireless Authentication

Jason Agress Jason_Agress at newton.k12.ma.us
Wed Oct 10 13:50:31 CEST 2012

This is very promising! Thank you!

Is there any significant downside to using EAP-TTLS/PAP over PEAP?

FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
>On 10/10/2012 03:21 AM, Jason Agress wrote:
>> Will that allow successful RADIUS authentication - and, therefore
>> wireless access - before the password change is initiated? Because our
>> clients are Macs that won't prompt for password change until after they
>> are connected to the wireless and authenticating against AD.
>Ah. Then no, mschap password changes won't help. FreeRADIUS just calls 
>out to AD to auth users. If AD refuses to auth because the password is 
>expired, the only thing you can do is a password change, which requires 
>client support.
>Since you're using Macs, you do have one option - change your EAP method 
>to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth 
>types you can "force" an accept on. Other auth types use 
>challenge/response methods that require both side to prove to each other 
>that they know the credentials.
>To implement this, you'd:
>  1. Install FreeRADIUS
>  2. Get EAP working with a local user
>  3. Get EAP working with AD users via Samba
>Everything up to this point is documented - see the wiki or 
>deployingradius.com. Once you've got that far, you need to setup two
>  * TTLS
>  * A script to auth PAP against AD, wrapping ntlm_auth
>The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, 
>check for "expired" and force a success.
>Anyway - if you're willing to move from PEAP to TTLS, get the basics 
>working then if you need advice, ask here again - people will be glad to 
>help. It's relatively straightforward, but all the pieces might not be 
>documented in obvious places.
>List info/subscribe/unsubscribe? See

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121010/2b0ca280/attachment-0001.html>

More information about the Freeradius-Users mailing list