Expired Active Directory Passwords & Wireless Authentication

alan buxey A.L.M.Buxey at lboro.ac.uk
Wed Oct 10 14:07:42 CEST 2012


>    Is there any significant downside to using EAP-TTLS/PAP over PEAP?

A few things, one is that you really need to trust the CA/RADIUS server -
as your credentials are all passed in the clear inside the TLS tunnel - so
if you are talking to a dodgy server you then send them everything

secondly...many clients dont support it natively....so you need to install
an extra supplicant to do it.  

not an issue if you are only trying to ensure that Mac users can change password
when things are wonky and Windows users use PEAP (which has the 'change/incorrect'
support - but how do you stop Mac users using PEAP and still getting themselves


More information about the Freeradius-Users mailing list