Thank you all for your replies. Our passwords are SALTED SHA1 encoded, so the chart you so kindly directed me to states we would have to use EAP-GTC with PAP. Seems I have quite a steep learning curve in a short amount of time.
On Wed, May 22, 2013 at 12:13 AM, Phil Mayers <p.may...@imperial.ac.uk>wrote: > On 05/22/2013 12:58 AM, Tena Gore wrote: > > I'd like to verify that I'm on the right track here with setting up the >> protocols and types to use. >> > > See: > > http://deployingradius.com/**documents/protocols/**compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html> > > We have to use PAP because of not having clear text passwords? >> > > Well, you said what it's wasn't, but didn't say what it *was*. > > MSCHAP requires the NT hash, or the cleartext to generate the NT hash. > > If you have a crypt (old or new style) then yes, you will need to use PAP. > > To avoid client certificates, we can use PEAP type of EAP? >> > > PEAP does not support PAP, only MSCHAP. > > To use PAP you must use EAP-TTLS. This isn't supported on Windows <= 7 > without 3rd party software. > > Also, we have a wildcard domain SSL certificate, can this be used or do >> we have to create a new one for this purpose on the server? >> > > People have reported problems with wildcard certs and windows clients. See > the list archives. > > Is there a recommended configuration for this type of deployment? Do you >> have any tips or tricks that would make our deployment go smoother? >> > > "Recommended" would be to move to store plaintext passwords, which will > let you use the full variety of EAP methods. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
