On 21/10/10 15:50, Rowley, Mathew wrote:
Ah, that is true. I never though that deeply into it, and only did a POC. Is the downfall of doing things this way that passwords must be sent in the clear?
Not really. The User-Password radius field is "encrypted" with the shared secret, which is reasonable (though not excellent) security.
For wireless/wired 802.1x users, the issue is that the windows supplicant does not *support* EAP-TTLS/PAP. It only supports EAP-PEAP/MS-CHAP, so rlm_krb5 is no use in this (common) case.
As I say, if you're just checking PAP it may meet your needs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html