So do I need to compile with rlm_krb? I am on Solaris 9 and was trying to compile with Kerberos but the Solaris distro does not include the necessary header files and I did not really want to open a whole new can of worms. What I was hoping to do was to have the freeradius box be root CA and the M$ box be subordinate stand-alone CA and use PEAP. Do you have any config suggestions for the MSCHAPv2 + PEAP?
TIA,
Steve
| Kevin C Miller <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 04/01/2004 07:21 AM
|
|
> Does anyone know if wireless authentication (LEAP, PEAP, EAP, TLS, TTLS)
> is possible using freeradius authenticating to Windows AD without having
> to enter usernames or any user information on the freeradius box? I am
> still not sure why it cannot use the LDAPS connection that I have working
> from freeradius to Windows AD for simple authentication. Am I the only
> one trying to accomplish this task?
I haven't done this specifically, but you should first try to narrow down
the EAP types you are considering. TLS, for example, will require a client
certificate. TTLS will require a third-party client for Windows.
I would look at MS-CHAPv2 with PEAP. Given your AD you should have the
necessary hashes to make this work.
What I have done is use the SecureW2 client with TTLS-PAP to authenticate
against a KDC. In this case PAP is necessary to transport the password to
the server, as the password is required to verify the Kerberos credentials.
-Kevin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
