Ttys/pap and Active Directory

Fri Jul 10 15:33:27 CEST 2020

Hello, colleagues.Thanks for the help. I was able to configure it. Can we add instructions to the site?

> 9 июля 2020 г., в 23:36, Alan DeKok <aland at deployingradius.com> написал(а):
> 
> 
> 
>> On Jul 9, 2020, at 2:17 PM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> 
>> Did I understand the procedure correctly ?
>> 1) In the eap module we specify the root certificate
>> 2) Creating client certificates and signing with this root certificate
> 
>  EAP-TLS requires client certificates.  TTLS does not.
> 
>> 3) On the windows client we add our root certificate to trusted root certificates
>> 4) On the Windows client we add the generated client certificates to the trusted personal certificates
> 
>  For EAP-TLS.  Not for TTLS.
> 
>> If this is true, does tttls/pap require certificates on the server and client ? I thought tttls/pap only requires certifications on the server 
> 
>  Doing *any* TLS requires that the Windows client knows about the root CA.
> 
>  You *don't* need a client certificate for TTLS + PAP.
> 
>  You *do* need a client certificate for EAP-TLS.
> 
>  You *do* need a server certificate which is on FreeRADIUS.  That server certificate *must* be signed by the root CA.
> 
>  Alan DeKok.
> 