There
are many ways to solve this problem but not all are very clean.
We use
EAP-TTLS-EAP-MSCHAPV2.
What
you do is setup an EAP-TTLS front-end server that sends the inner
authentication
EAP-MSCHAPV2 to an IAS server in an AD domain. This
allows us to authenticate COMPUTERS and USERS with
802.1X.
Hope
the drawing turns out ok:
---- TLS
tunnel------------------------------------
EAP-MSCHAPV2 <------------------------ INNER
---------------------------->
---------------------------------------------------------
TTLS
<-------- OUTER ---------------------->
Client
AP
TTLS front end (Linux) IAS server (Active
Directory)
The
problem on the client side though is that the IAS server sends certain
attributes back to the client (NOT THE TTLS SERVER)
that
need to be handled correctly. This means you will require a certain TTLS
client... :P
Further more the IAS server (Microsoft RADIUS server) needs to be tweaked
as this does not support EAP-MSCHAPV2
as an
EAP type by default. (But it is a simple registry
change)
We
have this running in house and allows us FULL single sign-on using our laptops
and the AD domain which looks
really
cool ;)
I will
try to do the same using FreeRadius this week but I don't have much time..
:(
Regards,
Tom
Rixom
-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 1:46 AM
To: [EMAIL PROTECTED]
Subject: Re: PEAP w/MS-CHAPv2:: Wireless Authentication against Windows AD as user profile storage
>Question: Can FreeRADIUS use ntlm_auth from Samba
>to make this happen ?
or Kerberos?
TIA,
Steve