Hi Matt. I'm going to answer your questions, and also point out something you've missed.
You are using PEAP (if your are using the XP Client, you are using PEAP) To tell PEAP not to use your logon creditialas, but to prompt for it, you have to uncheck something that is buried 3 menu's deep. See here for directions: http://www.informit.com/guides/content.asp?g=security&seqNum=74&rl=1 See figure 7 for details BUT.... I don't think this will work for you. (I'm making some assumptions about your network that could prove me wrong) I assume you have Active Directory, with freeradius querying this via LDAP? If it is, this setup won't work for you. ActiveDirectory, in the usual Microsoft methodailty, embraces standards, and extends them with proprietary extensions. What does this mean? It means by default you can't get passwords out of AD. You could store passwords in plaintext. (Bad idea) You need to setup FreeRadius using the ntlm_auth helper program. You install Samba on the FreeRadius Box, join it to the domain, and configure freeradius to perform Auth's via ntlm_auth. Then freeRadius will have no problem talking to ActiveDirectory. You can still use the LDAP module to assign attributes. (This was on the freeradius mailing list last week) Hope this helped. -----Original Message----- From: Matt Ashfield [mailto:[EMAIL PROTECTED] Sent: Friday, July 07, 2006 2:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x authentication using LDAP Hi All I'm trying to configure 802.1x wireless authentication using credentials stored in LDAP. I am running FreeRadius and SunOne ldap server. The Radius server is correctly doing authentication attempts to the LDAP server (I issue the "radtest" command with a username/passwd from LDAP and I get an authenticate-accept back). The next step is setting up an XP client to talk to an Access Point, which is configured to authenticate via the Raidus server, via LDAP. So far, in my minimal testing, I've seen the client try to connect using it's Windows credentials rather than giving the user a chance to enter a username/password. I'm sure others out there are doing this. I'm just wondering what you're using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms straight first and go from there. >From what I can tell PEAP will require my users to install a certificate. We'd much rather prefer them to have to enter their LDAP usernames and passwords. Any advice is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
