Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

[A.L.M.Buxey at lboro.ac.uk]

Hi,

>    We maintain a central AD with all the user accounts in it but there are no
>    machines associated with that AD.

any reasons for proxying to the NPS rather than binding the FR system into the AD
and authenticating locally? 

>    The self signed certificate works but people get prompted to accept it and
>    we were asked if it was possible for that to not happen.

some clients may prompt for the RADIUS or CA certificate anyway. 

>    The most likely users of this service would be the VIP types, it is
>    expected to "just work" so here I am.

ah...the VIP types who 'just want it to work!' - and thus decide that security
requirements are superfluous and get in the way. fine, you need to demonstrate the
issue with a classic man in the middle attack - a couple of easy to boot systems
exist which do that.

>    Self signed or commercial makes no difference as the certificate is only
>    used for server authentication.

correct.

>    The only difference is users having to manually trust a cert or not.
>    Unless I am wrong.

I would seriously advise that you look to having the right security in place and avoid
users/clients having to configure their systems - ie an 802.1X deployment tool (such
as XpressConnect from CloudPath) which will do all the work/configuration and installation
of a CA for you as per your requirements - multi-platform and will do wireless and wired.
(there are alternatives but none that are as feature-rich and support as many clients)

alan