moving from WPA2 to WPA2 Enterprise

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Tue Jun 23 23:35:34 CEST 2015


Hi,

> So EAP-TTLS windows 7 doesn't support out of the box, right?

correct. Windows 8 and above...

> What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background?

yes....if the client certs have identifiable attributes in them that can be checked against
your LDAP - eg username is embedded in the CommonName..or use one of the other cert fields for
options in your LDAP etc

> What about revocation lists? How do I take care of them?

CRL or OSCP - I'd go down the OSCP route myself...

> Maybe there's another way. Our ldap also stores ntlm passwords for samba.

in that case, use that attribute for the authentication....once the FreeRADIUS server
has read that, then you can use EAP-PEAP/MSCHAPv2 and your life will be simpler 

alan


More information about the Freeradius-Users mailing list