On 10/21/2010 06:40 PM, Rowley, Mathew wrote:
I am kind of confused - one of our use cases is having our wireless
infrastructure authenticating through freeradius and in the end AD. Why
would it matter that freeradius uses rlm_krb5? Wouldn¹t it look something
like:
User----AP----Controller----freeradius----AD
Anything-auth radius kerberos
Controller configured
This is an FAQ, and you can find plenty of discussion on the list, or
see here:
http://deployingradius.com/documents/protocols/compatibility.html
Suffice to say that there are many different ways to interact with AD,
and the different protocols (kerberos, ldap, NT domain RPCs) have very
different capabilities.
Only one method can authenticate 802.1x from stock windows clients
against Active Directory using username/password credentials, and that
is the "mschap" module using Samba & domain RPCs via the ntlm_auth
helper binary. This is a fundamental cryptographic property of the
EAP-PEAP/MSCHAP protocols which windows supports.
If you install additional 802.1x supplicant software on your windows
clients, you can use another eap method which does send plaintext
passwords to the server (e.g. EAP-TTLS/PAP) and rlm_krb5 will be able to
process those.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html