With that, and a few configuration options (like making sure the host was
connected to the domain and ntlm_auth functioned as required), i've managed
to get PEAP and EAP-MSCHAPv2 working fine to the ntdomain.
EAP-TTLS works fine with an account in the "users" file that has a clear
text password, as well as a local /etc/password account. Ideally this
should work with the ntdomain as well.
I'm testing with a laptop running XP, with the secureW2 package installed
to provide TTLS.
if you are using EAP-TTLS/PAP then you'll need a plain text password -
this can be done via kerberos to the AD.
This is a Samba NT domain, not AD. I do not have access to the plain
text password through Samba or LDAP.
The "Protocol and Password Compatibility" chart and the "Authenticaiton
Systems and Password Compatibility" chart from the "Deploying RADIUS:
The Book" page specifically says PAP/ntlm_auth is functional. Regular
CHAP is not because it requires the clear-text password.
otherwise EAP-TTLS/MSCHAPv2 should work just like PEAP
except when testing whether EAP-TTLS works, it doesn't help much.
i'd advise to get id of the DEFAULT Auth := System line from the users file
Done.. auth to the /etc/passwd accounts doesn't make much sense.
--
James A. McOrmond ([EMAIL PROTECTED])
Network Administrator
Xandros Corporation, Ottawa, Canada.
Morpheus: ...after a century of war I remember that which matters most:
*We are still HERE!*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html