Hi, > I have two questions for my understanding. I set up FreeRADIUS to > authenticate against our Active Directory. I read in the readme that this > couldn´t be done with the ldap module, so I did it with SAMBA. It works > fine for MSCHAPv2. But nowhere stands why it couldn’t be done with the > ldap module. Can anybody give a technical explanation? As I read the ldap > module can only work with cleartext passwords and eap is encrypted. But > why can’t it work with. A technical explanation would be nice.
it depends what you want to do with the AP and ldap - you can use it to check groups membership etc. > As I wrote I setted FreeRADIUS up to work fine with the Active Directory. > I configured the eap.conf to work with PEAP and MSCHAPv2. When I > configured it in this way I don’t need certificates? The certificates > aren’t checked by the clients or server aren’t they? Do I need > certificates when I use PEAP with MSCHAPv2 or I am doing something wrong? PEAP will show the client 2 certificates...the server certificate and the CA of that certificate (and intermediates if there are any). a basic freeradius install will have 2 snake-oil certs (local CA and server sined by that CA). it is up to you to ensure that clients are configured to check/verify the certificates. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
