Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

Bertalan Voros bertalan.voros at gmail.com
Fri Jan 25 15:42:26 CET 2013


The clients are employees of a fairly loose network of companies, each on
their own AD, some doesn't even have ad.

A frustrating mixture of Windows and OSX.

We maintain a central AD with all the user accounts in it but there are no
machines associated with that AD.

The self signed certificate works but people get prompted to accept it and
we were asked if it was possible for that to not happen.
The most likely users of this service would be the VIP types, it is
expected to "just work" so here I am.

Self signed or commercial makes no difference as the certificate is only
used for server authentication.
The only difference is users having to manually trust a cert or not.
Unless I am wrong.

On 25 January 2013 14:23, <A.L.M.Buxey at lboro.ac.uk> wrote:

> Hi,
>
> >    The reason I was attempting this is because I have to provide a
> service
> >    for roaming users and I was having issues with obtaining a
> certificate for
> >    the NPS server.
>
> whats wrong with just using your current FR certificate on the NPS box?
>
> >    Does this mean that I could use a self signed certificate for the NPS
> that
> >    is recognized by the freeradius and have a commercial certificate on
> the
> >    freeradius that is then recognized by the clients?
>
> what are your clients/userbase?  why do you have to use a commercial
> certificate
> for your server?   if the clients authenticating are your clients then
> they can have
> the required private CA installed - the authentication is a closed loop.
>  if you use
> a commercial cert eg thawte, verisign etc and only use that as trust then
> anyone can
> get a cert signed by that commercial CA as a first point to subverting
> your security
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Bertalan Voros
m: 07932858025
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130125/7ea145e8/attachment-0001.html>


More information about the Freeradius-Users mailing list