Hi, > So then it seems to me that my best solution would then be to implement > either an EAP-PEAP or EAP-TTLS solution authenticating against either my
PEAP or TTLS? no reason why you cannot have both. FreeRADIUS is quite happy doing both at same time... especially if you use MSCHAPv2 as the inner auth for the TTLS. its the same ntlm_auth line then too. > and passwords. What would, in your opinion, be better? TTLS or PEAP? its down to philosophy more than anything - until the proof that PEAP can be broken with a simple tool ;-) - some implementations of PEAP are known to be 'leaky' - they leak some of the challenge/response. that said. if you want anonymity, TTLS is the only way - can use an anoymous auto identity. with most PEAP, you inner username is thrown to the outer identity by default. > Also, if I had a laptop for school-only use (say, for example, a laptop that > we provide for the users), in this case the wireless connection would ned to > be establish without user input (for example, have he machine connected > already so that the user can log into the machine through windows). Could I if you use the AD, you can configure it to use machine authentication...in this case the machine ID is in the AD and the system logs in before the user - now you can have active, non-cached user logins too. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html