I am kind of confused - one of our use cases is having our wireless infrastructure authenticating through freeradius and in the end AD. Why would it matter that freeradius uses rlm_krb5? Wouldn¹t it look something like:
User----AP----Controller----freeradius----AD Anything-auth radius kerberos Controller configured On 10/21/10 9:16 AM, "Phil Mayers" <p.may...@imperial.ac.uk> wrote: >On 21/10/10 15:50, Rowley, Mathew wrote: >> Ah, that is true. I never though that deeply into it, and only did a >>POC. >> Is the downfall of doing things this way that passwords must be sent in >> the clear? > >Not really. The User-Password radius field is "encrypted" with the >shared secret, which is reasonable (though not excellent) security. > >For wireless/wired 802.1x users, the issue is that the windows >supplicant does not *support* EAP-TTLS/PAP. It only supports >EAP-PEAP/MS-CHAP, so rlm_krb5 is no use in this (common) case. > >As I say, if you're just checking PAP it may meet your needs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
