> If I try to connect from a Windows client via a wireless AP "WIFIAP1" with > Active Directory "user1" I see this in the log: > > Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] > (from client WIFIAP1 port 0 via TLS tunnel) > Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] > (from client WIFIAP1 port 48 cli 001a73f7f0f7) > > Dumb question: does this mean the client used PEAP to connect? Can I > deduce this from "Auth-Type = EAP" and from "via TLS tunnel"?
Can also be TTLS. > If connected via PEAP, authentication is "secure". However, I'd like to > know if the data exchanged between the clients and the rest of the LAN via > the Access Point is also encrypted and "cannot be sniffed". Does this > "data encryption" depend only on the AP's encryption settings (eg. AES) > and does FreeRadius get out of this equation after authentication? Radius has nothing to do with that. > If I install a self-signed certificate on another Windows client and > connect via EAP-TLS then I can connect without having to use an Active > Directory user, as expected. > > I'm wondering if I can *require* both a certificate on the client machine > AND an AD user authentication. In other words, how can I *require* > PEAP-EAP-TLS? (currently, my freeradius configuration seems to require > PEAP OR EAP-TLS) > > Freeradius version: 2.0.5 Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section. At least it does in the current version. If it doesn't - it probably isn't supported, so upgrade. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html