I am not sure what you want to do, do you mean using FreeRadius to terminatie the PEAP tunnel and then use the inner MSCHAPV2 against Active Directory?
If so this is not possible with the MS PEAP client: Reason one is that you need to change a registry setting on the IAS server to allow the IAS to do EAP-MSCHAPV2 as this is not allowed by default. Reason two is that the IAS server uses certain other (non eap) attributes to authenticate the user which are not supported by the MS PEAP client. This is however possible using (sorry for the advertisement) SecureW2 2.0.0 with Inner EAP-MSCHAPV2 and a small tweak of the IAS server in the AD. I have however never tested this with FreeRadius (But it does work with other RADIUS servers). I will test it out next week and let you know how it went. Tom Rixom > -----Original Message----- > From: Jack J [mailto:[EMAIL PROTECTED] > Sent: Saturday, April 03, 2004 2:22 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: Wireless Authentication against Windows AD > > > > Can someone please advice ? > > Thanks, > > > --- Jack J <[EMAIL PROTECTED]> wrote: > > > > Kevin, > > > > I am trying to use MSCHAPv2 w/ PEAP against AD > > using FreeRADIUS. > > Could you please shed some light/pointers on > > how to configure this ? > > > > Thanks, > > > > --- Kevin C Miller <[EMAIL PROTECTED]> wrote: > > > > Does anyone know if wireless authentication > > (LEAP, > > > PEAP, EAP, TLS, TTLS) > > > > is possible using freeradius authenticating to > > > Windows AD without having > > > > to enter usernames or any user information on > > the > > > freeradius box? I am > > > > still not sure why it cannot use the LDAPS > > > connection that I have working > > > > from freeradius to Windows AD for simple > > > authentication. Am I the only > > > > one trying to accomplish this task? > > > > > > I haven't done this specifically, but you should > > > first try to narrow down > > > the EAP types you are considering. TLS, for > > example, > > > will require a client > > > certificate. TTLS will require a third-party > > client > > > for Windows. > > > > > > I would look at MS-CHAPv2 with PEAP. Given your AD > > > you should have the > > > necessary hashes to make this work. > > > > > > What I have done is use the SecureW2 client with > > > TTLS-PAP to authenticate > > > against a KDC. In this case PAP is necessary to > > > transport the password to > > > the server, as the password is required to verify > > > the Kerberos credentials. > > > > > > -Kevin > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Small Business $15K Web Design Giveaway > > http://promotions.yahoo.com/design_giveaway/ > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > __________________________________ > Do you Yahoo!? > Yahoo! Small Business $15K Web Design Giveaway > http://promotions.yahoo.com/design_giveaway/ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
