New design/deployment of freeradius
Phil Mayers
p.mayers at imperial.ac.uk
Wed May 22 09:13:05 CEST 2013
On 05/22/2013 12:58 AM, Tena Gore wrote:
> I'd like to verify that I'm on the right track here with setting up the
> protocols and types to use.
See:
http://deployingradius.com/documents/protocols/compatibility.html
> We have to use PAP because of not having clear text passwords?
Well, you said what it's wasn't, but didn't say what it *was*.
MSCHAP requires the NT hash, or the cleartext to generate the NT hash.
If you have a crypt (old or new style) then yes, you will need to use PAP.
> To avoid client certificates, we can use PEAP type of EAP?
PEAP does not support PAP, only MSCHAP.
To use PAP you must use EAP-TTLS. This isn't supported on Windows <= 7
without 3rd party software.
> Also, we have a wildcard domain SSL certificate, can this be used or do
> we have to create a new one for this purpose on the server?
People have reported problems with wildcard certs and windows clients.
See the list archives.
> Is there a recommended configuration for this type of deployment? Do you
> have any tips or tricks that would make our deployment go smoother?
"Recommended" would be to move to store plaintext passwords, which will
let you use the full variety of EAP methods.
More information about the Freeradius-Users
mailing list