Active Directory authentication question
Roberto Carna
robertocarna36 at gmail.com
Wed Sep 18 17:01:34 CEST 2013
Arran, I have a private CA and I've created the server and client
certs of course...and I've generated the .p12 cert (includind the CA
cert) to install in my Windows 7 clients....it works OK.
What I mean is that EAP-TLS is easier to me than AD authentication at
this point, because I've just put it to work...and if I want to use AD
auth I have to take EAP-TLS out and start again with NTLM / AD
authentication....is it OK ???
Regards
2013/9/18 Arran Cudbard-Bell <a.cudbardb at freeradius.org>:
>
> On 18 Sep 2013, at 15:39, Roberto Carna <robertocarna36 at gmail.com> wrote:
>
>> Sorry, so I'm a bit confused...
>>
>> I'm using Windows 7 clients for accesing the WiFi network through
>> EAP-TLS with X.509 certificates. But in this way, I could see that I
>> can authenticate users or hosts...if I choose users, I can see a
>> dialog box to fill user and password and I suppose they are checked
>> against MySQL database (because I see the query in debug mode). Is
>> this correct or not ???
>
> MySQL can be used to retrieve additional attributes associated with a
> given user/host. It can even perform lookups based on fields in the
> cert presented, but it can't be used to store X.509 certificate data.
>
>> And finally, if I use EAP-TLS with X.509 certificates, do you mean I
>> don't need to use the authentication against the active directory
>> database ??? Maybe this is easier to me because I've put EAP-TLS to
>> work.
>
> No, the easier way is to complete the certificate chain using the
> signing cert which created the client certs in the first place. This needs
> to be made available to the EAP-TLS module.
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list