Does anyone know if wireless authentication (LEAP, PEAP, EAP, TLS, TTLS) is possible using freeradius authenticating to Windows AD without having to enter usernames or any user information on the freeradius box? I am still not sure why it cannot use the LDAPS connection that I have working from freeradius to Windows AD for simple authentication. Am I the only one trying to accomplish this task?
I haven't done this specifically, but you should first try to narrow down the EAP types you are considering. TLS, for example, will require a client certificate. TTLS will require a third-party client for Windows.
I would look at MS-CHAPv2 with PEAP. Given your AD you should have the necessary hashes to make this work.
What I have done is use the SecureW2 client with TTLS-PAP to authenticate against a KDC. In this case PAP is necessary to transport the password to the server, as the password is required to verify the Kerberos credentials.
-Kevin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
