[email protected] wrote: > >>In my scenario I would like to use PEAP if possible but not require the user >>client to have a certificate, just the radius-server (which is why i believe >>the TTLS solution will be in-efficient here as i would have to deal with >>handy out client certificates to hundreds of users). And to be asked thern >>their username and password to authticate onto our wireless. Would combining >>these two guides work to get these two intial sets up and running? >> > TTLS is *not* an admin hassle, TLS is (client side certificates). TTLS means you put a verifiable server certificate on the *server* end that the client can verify and know who it is talking to, then you can safely even send the password in plain text. > PEAP will require passwords stored as clear text or nt hash. If your > passwords are stored as something else they will have to be changed. > ...or...you use EAP-TTLS and get the client to send the passwords in plaintext and then do an LDAP bind() to check if the credentials are correct.
Once you are doing this you can one day get around to (if you want to) putting in plaintext passwords into your LDAP database that FreeRADIUS can use and abuse. > As for combining freeradius and ldap prehaps you should read > freeradius documentation first (wiki or doc/rlm_ldap from the > download) and then see is there any need to bother wiyh third party > stuff. > Well PEAP without AD means you have to jump through a lot of hoops manually configuring each client by hand. With something like SecureW2 you include a 'seeding' file and it will do all the hard manual priming. This is all overlooking that PEAP is horrible as if you want to play with OTP's or other fun custom things, good luck doing that with PEAP. Cheers -- Alexander Clouter .sigmonster says: Marriage causes dating problems. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
