Tom, Thank you for approach below. I understand EAP-TTLS as outer would work.
However, Question is if one does not want to use EAP-TTLS but use EAP-PEAP w/ MSCHAPv2 only and use AD only as User profile storage, what do you suggest ? Per Alan's last email, he feel ntlm_auth from Samba (which has been made to work for pppd by Andrew Barlett) would work when patched to FreeRADIUS. Any thoughts ? Thank you, --- Tom Rixom <[EMAIL PROTECTED]> wrote: > There are many ways to solve this problem but not > all are very clean. > > We use EAP-TTLS-EAP-MSCHAPV2. > > What you do is setup an EAP-TTLS front-end server > that sends the inner authentication > EAP-MSCHAPV2 to an IAS server in an AD domain. This > allows us to authenticate COMPUTERS and USERS with > 802.1X. > > Hope the drawing turns out ok: > > ---- TLS tunnel------------------------------------ > EAP-MSCHAPV2 <------------------------ INNER > ----------------------------> > --------------------------------------------------------- > TTLS <-------- OUTER ----------------------> > Client AP TTLS front end > (Linux) IAS server (Active Directory) > > The problem on the client side though is that the > IAS server sends certain attributes back to the > client (NOT THE TTLS SERVER) > that need to be handled correctly. This means you > will require a certain TTLS client... :P > > Further more the IAS server (Microsoft RADIUS > server) needs to be tweaked as this does not support > EAP-MSCHAPV2 > as an EAP type by default. (But it is a simple > registry change) > > We have this running in house and allows us FULL > single sign-on using our laptops and the AD domain > which looks > really cool ;) > > I will try to do the same using FreeRadius this week > but I don't have much time.. :( > > Regards, > > Tom Rixom > > -----Original Message----- > From: Steve OBrien [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 06, 2004 1:46 AM > To: [EMAIL PROTECTED] > Subject: Re: PEAP w/MS-CHAPv2:: Wireless > Authentication against Windows AD as user profile > storage > > > > >Question: Can FreeRADIUS use ntlm_auth from Samba > >to make this happen ? > > or Kerberos? > > > TIA, > Steve > > __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
