On 05/22/2013 12:58 AM, Tena Gore wrote:
I'd like to verify that I'm on the right track here with setting up the
protocols and types to use.
See:
http://deployingradius.com/documents/protocols/compatibility.html
We have to use PAP because of not having clear text passwords?
Well, you said what it's wasn't, but didn't say what it *was*.
MSCHAP requires the NT hash, or the cleartext to generate the NT hash.
If you have a crypt (old or new style) then yes, you will need to use PAP.
To avoid client certificates, we can use PEAP type of EAP?
PEAP does not support PAP, only MSCHAP.
To use PAP you must use EAP-TTLS. This isn't supported on Windows <= 7
without 3rd party software.
Also, we have a wildcard domain SSL certificate, can this be used or do
we have to create a new one for this purpose on the server?
People have reported problems with wildcard certs and windows clients.
See the list archives.
Is there a recommended configuration for this type of deployment? Do you
have any tips or tricks that would make our deployment go smoother?
"Recommended" would be to move to store plaintext passwords, which will
let you use the full variety of EAP methods.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
