Hi,
Sorry for the trivial questions but here I go:
I think I configured freeradius correctly for EAP-TLS and PEAP with ms-chap
with authenticates using the ntlm_auth helper application.
If I try to connect from a Windows client via a wireless AP "WIFIAP1" with
Active Directory "user1" I see this in the log:
Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] (from
client WIFIAP1 port 0 via TLS tunnel)
Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] (from
client WIFIAP1 port 48 cli 001a73f7f0f7)
Dumb question: does this mean the client used PEAP to connect? Can I deduce
this from "Auth-Type = EAP" and from "via TLS tunnel"?
If connected via PEAP, authentication is "secure". However, I'd like to know if
the data exchanged between the clients and the rest of the LAN via the Access
Point is also encrypted and "cannot be sniffed". Does this "data encryption"
depend only on the AP's encryption settings (eg. AES) and does FreeRadius get
out of this equation after authentication?
If I install a self-signed certificate on another Windows client and connect
via EAP-TLS then I can connect without having to use an Active Directory user,
as expected.
I'm wondering if I can *require* both a certificate on the client machine AND
an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS?
(currently, my freeradius configuration seems to require PEAP OR EAP-TLS)
Freeradius version: 2.0.5
Thanks,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
