PEAP - Intermediate CA
Good Afternoon - I am having an issue where FreeRadius is not handing the intermediate CA to a windows WPA2 client. We are in the process of deploying WPA2/AES with PEAP. So we purchased a certificate from a company that has a Trusted Root CA in Windows, Mac OSX, and Linux. However, it was signed with there intermediate CA, so the OS will not vailded the certificate during authentication. The only solution seems to be installing the intermediate CA certifcate on all my clients (2,000-3,000). If it possible to chain the certificates together like you can in Apache? Thanks CJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
Alan - Thank you. Making the change to the inner-tunnel worked. Regards CJ > Date: Thu, 13 Nov 2008 08:44:07 +0100 > From: [EMAIL PROTECTED] > To: freeradius-users@lists.freeradius.org > Subject: Re: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP > > CJ O wrote: > > Good Afternoon - > > > > I've read through a lot of threads and documents and have > > piced information together, however I am still having issues. We are > > running an OpenLDAP with the passwords encrypted. I know that PEAP > > requires the clear text password to be stored in the LDAP Server, > > No. See: > > http://deployingradius.com/documents/protocols/compatibility.html > > > however, I've read also that as long as FreeRadius can get the NTLM > > Password from LDAP PEAP should work. > > > > We have also created a custom attribute call ntPasswd that hold the NTLM > > Hash of the users password. I have configured FreeRadius to authenicate > > to the LDAP server and set the password_attribute = ntPasswd. In the > > ldap.attrmap I've added to entries checkItem LM-Password ntPasswd and > > checkItem NT-Password ntPasswd. > > > > In eap.conf i've set default_eap_type = peap In site-enable/default > > under authorize I've uncommented ldap. > > You need to uncomment it in raddb/sites-enabled/inner-tunnel. See the > debug output. It's running the inner-tunnel method, but LDAP isn't used > there. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
Ivan - Thank you for your help. I removed the password_attribute field from modules/ldap and everything seems to be working with PEAP and GTC. Thank you again! CJ> To: freeradius-users@lists.freeradius.org> Subject: RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP> Date: Thu, 13 Nov 2008 01:07:18 +0100> From: [EMAIL PROTECTED]> > >That change has allowed MS-Chapv2 to work from my tunnel. > > > >Since I've specified PEAP in the eap.conf, is it possible to use GTC too?> > > > Yes, you can use any eap method you want. default_eap_type will be tried> first. If refused, server and suppicant will try to "agree" on> another. It just means one extra eap exchange.> > Ivan Kalik> Kalik Informatika ISP> > -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP
Ivan - Thank you for your help. That change has allowed MS-Chapv2 to work from my tunnel. Since I've specified PEAP in the eap.conf, is it possible to use GTC too? Thanks CJ> To: freeradius-users@lists.freeradius.org> Subject: Re: FreeRadius 2.1.1 - OpenLDAP + NT hash + PEAP> Date: Thu, 13 Nov 2008 00:04:41 +0100> From: [EMAIL PROTECTED]> > >In site-enable/default under authorize I've uncommented ldap.> > You don't need ldap there. Uncomment ldap in sites-enabled/inner-tunnel> virtual server.> > Ivan Kalik> Kalik Informatika ISP> > -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
