On Fri, Jun 18, 2010 at 7:44 AM, Kyle Plimack <[email protected]> wrote: > I have pap working (i.e. I ran radtest and got an access-accept). > I don’t want to configure certs on each of my hosts for each of my clients, > so I’d like to use PEAP/msChapV2 so that dot1x clients are prompted for and > username/password. > > According the the deployingradius.com guide, once pap is working, mschapv2 > should “just work”. It doesn’t.
It should, IF passwords are stored in plain text on your LDAP schema. If it doesn't (as in the case of AD or Lotus Domino), then you either need to make some adjustments (like using ntlm_auth with AD) or dump mschapv2 and use PEAP/GTC with ldap bind as user (like with Lotus Domino). for PEAP part, like John and Alan mentioned, you need to enable LDAP in innter tunnel as well. "radtest" don't use EAP, so it can't check for EAP configuration errors. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
