Help with EAP-TTLS and PAP
mcn4 at leicester.ac.uk
Mon Nov 23 14:15:41 CET 2015
On Mon, Nov 23, 2015 at 11:19:49AM +0100, Hans Hering wrote:
> We have a Sun DS with salted SHA1 passwords, freeradius 3.0.10,
> Aruba IAP-225 access points and Windows and OS X clients.
What version of Windows?
> My goal is having the users log on to the WPA2 Enterprise wifi
> with their LDAP credentials and no client configuration
> whatsoever. This means I don't want to install network profiles
> on the Macs and no EAP-GTC plugins on the Windows machines.
A noble goal, but I'm afraid you're likely to be disappointed.
> From what I've read, this should be possible with EAP-TTLS and
> inner PAP, as PAP can work with salted SHA1 passwords. However,
Windows 7 and earlier can't do EAP-TTLS/PAP natively.
Pretty much the only options available by default on both are
EAP-TLS or PEAP/EAP-MSCHAPv2. The latter is ruled out if you have
passwords in SHA1, so you're just down to certificates. Which
requires provisioning on the clients.
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users