Is LDAP + EAP Possible For Me?
Matthew Newton
mcn4 at leicester.ac.uk
Tue Apr 15 15:01:44 CEST 2014
On Tue, Apr 15, 2014 at 08:41:51AM -0400, Ethan Chrisawn wrote:
> I've been searching for a while now, and I can't seem to find a
> good answer. I have an ldap server and I would like to
> authenticate my users wirelessly without generating individual
> client certs for every device.
>
> I heard that PEAP doesn't require the manual creation of client
> certs, but I can't use that with ldap because I can't pass it a
> cleartext password, right? What other options do I have to
> accomplish what I'm after?
Will your LDAP server give FreeRADIUS the cleartext password, or
the NTLM password?
If yes, then you can use PEAP/MSCHAPv2 or TTLS/MSCHAPv2.
If no, then you're probably limited to TTLS/PAP.
It depends on what your LDAP server will give access to:
http://deployingradius.com/documents/protocols/compatibility.html
If you're running AD, then you'll have to join FreeRADIUS to the
domain and use ntlm_auth.
If your LDAP server won't give access to any password, and you
want to auth by binding to it, then TTLS/PAP is your only option.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list