If one has Supplicant (client) configured for EAP-PEAP w/ MS-CHAPv2 and on FreeRADIUS (or any other RADIUS server) configured to terminate PEAP w/MS_CHAPv2, but user profiles are stored on Active Directory.
Does FreeRADIUS support this ? If userprofile is on LDAP I think it would work since LDAP bind/search would return userPassword attribute, where as AD does not. Thus CHAP cannnot be done in AD case. Is this true ? Currently EAP-PEAP w/ MS-CHAPv2 termination works on some commercial FreeRADIUS servers who are running MS-Windows OS/kernel. As I understand in this case MS allows trusted domains to retrieve userPassword attribute from AD query, thus making CHAP to work. Is this right ? Can someone please comment and share some wisdom ? Alan.D: Any suggestions ? Thanks in advance, --- Tom Rixom <[EMAIL PROTECTED]> wrote: > I am not sure what you want to do, do you mean using > FreeRadius to terminatie > the PEAP tunnel and then use the inner MSCHAPV2 > against Active Directory? > > If so this is not possible with the MS PEAP client: > > Reason one is that you need to change a registry > setting on the IAS server > to allow the IAS to do EAP-MSCHAPV2 as this is not > allowed by default. > > Reason two is that the IAS server uses certain other > (non eap) attributes > to authenticate the user which are not supported by > the MS PEAP client. > > This is however possible using (sorry for the > advertisement) SecureW2 2.0.0 > with Inner EAP-MSCHAPV2 and a small tweak of the IAS > server in the AD. > > I have however never tested this with FreeRadius > (But it does work with other > RADIUS servers). > > I will test it out next week and let you know how it > went. > > Tom Rixom > > > -----Original Message----- > > From: Jack J [mailto:[EMAIL PROTECTED] > > Sent: Saturday, April 03, 2004 2:22 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: Re: Wireless Authentication against > Windows AD > > > > > > > > Can someone please advice ? > > > > Thanks, > > > > > > --- Jack J <[EMAIL PROTECTED]> wrote: > > > > > > Kevin, > > > > > > I am trying to use MSCHAPv2 w/ PEAP against AD > > > using FreeRADIUS. > > > Could you please shed some light/pointers on > > > how to configure this ? > > > > > > Thanks, > > > > > > --- Kevin C Miller <[EMAIL PROTECTED]> > wrote: > > > > > Does anyone know if wireless authentication > > > (LEAP, > > > > PEAP, EAP, TLS, TTLS) > > > > > is possible using freeradius authenticating > to > > > > Windows AD without having > > > > > to enter usernames or any user information > on > > > the > > > > freeradius box? I am > > > > > still not sure why it cannot use the LDAPS > > > > connection that I have working > > > > > from freeradius to Windows AD for simple > > > > authentication. Am I the only > > > > > one trying to accomplish this task? > > > > > > > > I haven't done this specifically, but you > should > > > > first try to narrow down > > > > the EAP types you are considering. TLS, for > > > example, > > > > will require a client > > > > certificate. TTLS will require a third-party > > > client > > > > for Windows. > > > > > > > > I would look at MS-CHAPv2 with PEAP. Given > your AD > > > > you should have the > > > > necessary hashes to make this work. > > > > > > > > What I have done is use the SecureW2 client > with > > > > TTLS-PAP to authenticate > > > > against a KDC. In this case PAP is necessary > to > > > > transport the password to > > > > the server, as the password is required to > verify > > > > the Kerberos credentials. > > > > > > > > -Kevin > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > Yahoo! Small Business $15K Web Design Giveaway > > > http://promotions.yahoo.com/design_giveaway/ > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Small Business $15K Web Design Giveaway > > http://promotions.yahoo.com/design_giveaway/ > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
