Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

Bertalan Voros bertalan.voros at gmail.com
Fri Jan 25 16:25:20 CET 2013

Hi Alan,

Thanks for your insight, you are absolutely correct regarding the issues.
I will have to find a compromise that is acceptable by everyone.

> >    We maintain a central AD with all the user accounts in it but there
> are no
> >    machines associated with that AD.
> any reasons for proxying to the NPS rather than binding the FR system into
> the AD
> and authenticating locally?

Only that the FR site mentioned it to be complicated and we already have an
NPS that we are otherwise happy with.
Looks like this would be the best option.

> >    The self signed certificate works but people get prompted to accept
> it and
> >    we were asked if it was possible for that to not happen.
> some clients may prompt for the RADIUS or CA certificate anyway.
> >    The most likely users of this service would be the VIP types, it is
> >    expected to "just work" so here I am.
> ah...the VIP types who 'just want it to work!' - and thus decide that
> security
> requirements are superfluous and get in the way. fine, you need to
> demonstrate the
> issue with a classic man in the middle attack - a couple of easy to boot
> systems
> exist which do that.
> >    Self signed or commercial makes no difference as the certificate is
> only
> >    used for server authentication.
> correct.
> >    The only difference is users having to manually trust a cert or not.
> >    Unless I am wrong.
> I would seriously advise that you look to having the right security in
> place and avoid
> users/clients having to configure their systems - ie an 802.1X deployment
> tool (such
> as XpressConnect from CloudPath) which will do all the work/configuration
> and installation
> of a CA for you as per your requirements - multi-platform and will do
> wireless and wired.
> (there are alternatives but none that are as feature-rich and support as
> many clients)

Will definitely look into that.
The difficulty is that some of the users are so remote from us that our
only encounter with them is seeing a log entry.
This is a global solution very removed from the local tech team, only used
to let roaming users on the wireless network.
We are providing a radius so they don't have to maintain a full copy of all
the users in the network (network of companies).

It's a continuous headache for us.

> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

Bertalan Voros
m: 07932858025
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130125/6589bae5/attachment.html>

More information about the Freeradius-Users mailing list