Re: CiscoAP->Freeradius->AD->ISA(ntlm authentication)

Wed, 04 Jan 2006 03:25:59 -0800

hi

yes i know they have to authenticate two times. but in my case its not so easy. we have more than 400 pc connected to the domain (wired), so they will be authenticated transparently through the ISA. then a lot they arent in the domain (also wired). they are only authenticating against the ISA because they need only to surf the internet.
now we need accesspoints. what would be the best way. we need also some filtering service (websense) which is installed on the ISA. so the new clients (wireless) have to surf through the ISA. so it isnt possible to omit the ISA authentication. i would omit the chilli authentication.

whats the best and secure way to authenticate my wirelessclients. they will be MacOS, *nix, Windows2000/XP
EAP-TTLS/mschapv2 ???

if its too difficult i would leave out the ISA, so the would authenticate only against the AD.

thx



Alan DeKok schrieb: 
Konne <[EMAIL PROTECTED]> wrote:
  
Freeradius looks in the ActiveDirectory if the 
user exists and has the rights to connect to the internet. if the 
authentication is ok,  the user must surf over a ISA because there is 
installed websense.
    

  That's not helpful.  You're saying that even though you know only
authenticated users access your net, you still make them authenticate
again?

  
 is it possible to have a transparent authentication 
through the isa-server. i mean if the client is in the condition that he 
can send the ntlm authentication, that he doestn't have to authenticate 
twice times. one time on the chillispot and the second on the isa 
server. is there any possibilty?
    

  The only way to do that is if the RADIUS server can tell the isa
that the user is OK, and they don't have to be authenticated.  See the
isa docs for if this is possible, and if possible, how.  Then write a
script on FreeRADIUS to send the information isa needs.

  In general, what you want to do is difficult, because most people
don't do it.  And most people don't do it because authenticating
people twice is pointless/

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to