Thanks Stepahn for all your important help. Regards,
Roberto 2013/9/19 <stefan.pae...@diamond.ac.uk>: >> What I mean is that EAP-TLS is easier to me than AD authentication at >> this point, because I've just put it to work...and if I want to use AD >> auth I have to take EAP-TLS out and start again with NTLM / AD >> authentication....is it OK ??? > > Roberto, you don't have to remove EAP-TLS to support NTLM/MS-CHAPv2 > authentication. What you can do in eap.conf is specify which EAP type you > want to use by default. If you prefer EAP-TLS, you can specify > default_eap_type = tls. But if the client does not support that and asks for > EAP-TTLS or PEAP instead, then, if your server is configured correctly, it > can support those additional types too. > > For NTLM authentication, what you *do* need is to add your FreeRADIUS machine > to the Windows 2012 domain. Since you're on a flavour of Unix/Linux, you need > to install Samba on your Linux box and configure it to talk to the Windows > 2012 domain controller (via Kerberos). > > You may want to read this page, which describes how we've made authentication > against Active Directory work with PEAP (specifically PEAP with EAP-MSCHAPv2) > and EAP-TTLS with EAP-MSCHAPv2: > > http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source > > We don't use PEAP and don't have any test clients that support PEAP, but > EAP-TTLS/EAP-MSCHAPv2 works splendidly (which is good enough for our purposes > and is widely supported by Windows clients). > > You can use rad_eap_test (there is information about this on the link above, > including how to build the binary) to specify which EAP method you want to > use and then which inner authentication to use (where applicable). So you can > leave your existing setup (I assume default_eap_type is 'tls') alone and > still test your NTLM authencation. > > Folks, feel free to correct... but that's what worked here. > > Stefan > > > -- > This e-mail and any attachments may contain confidential, copyright and or > privileged material, and are for the use of the intended addressee only. If > you are not the intended addressee or an authorised recipient of the > addressee please notify us of receipt by returning the e-mail and do not use, > copy, retain, distribute or disclose the information in or attached to the > e-mail. > Any opinions expressed within this e-mail are those of the individual and not > necessarily of Diamond Light Source Ltd. > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > attachments are free from viruses and we cannot accept liability for any > damage which you may sustain as a result of software viruses which may be > transmitted in or with the message. > Diamond Light Source Limited (company no. 4375679). Registered in England and > Wales with its registered office at Diamond House, Harwell Science and > Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html