Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Fri Jan 25 15:23:10 CET 2013


>    The reason I was attempting this is because I have to provide a service
>    for roaming users and I was having issues with obtaining a certificate for
>    the NPS server.

whats wrong with just using your current FR certificate on the NPS box?

>    Does this mean that I could use a self signed certificate for the NPS that
>    is recognized by the freeradius and have a commercial certificate on the
>    freeradius that is then recognized by the clients?

what are your clients/userbase?  why do you have to use a commercial certificate
for your server?   if the clients authenticating are your clients then they can have
the required private CA installed - the authentication is a closed loop.  if you use
a commercial cert eg thawte, verisign etc and only use that as trust then anyone can
get a cert signed by that commercial CA as a first point to subverting your security


More information about the Freeradius-Users mailing list