This is very promising! Thank you! Is there any significant downside to using EAP-TTLS/PAP over PEAP?
FreeRadius users mailing list <[email protected]> writes: >On 10/10/2012 03:21 AM, Jason Agress wrote: >> Will that allow successful RADIUS authentication - and, therefore >> wireless access - before the password change is initiated? Because our >> clients are Macs that won't prompt for password change until after they >> are connected to the wireless and authenticating against AD. > >Ah. Then no, mschap password changes won't help. FreeRADIUS just calls >out to AD to auth users. If AD refuses to auth because the password is >expired, the only thing you can do is a password change, which requires >client support. > >Since you're using Macs, you do have one option - change your EAP method >to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth >types you can "force" an accept on. Other auth types use >challenge/response methods that require both side to prove to each other >that they know the credentials. > >To implement this, you'd: > > 1. Install FreeRADIUS > 2. Get EAP working with a local user > 3. Get EAP working with AD users via Samba > >Everything up to this point is documented - see the wiki or >deployingradius.com. Once you've got that far, you need to setup two >things: > > * TTLS > * A script to auth PAP against AD, wrapping ntlm_auth > >The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, >check for "expired" and force a success. > >Anyway - if you're willing to move from PEAP to TTLS, get the basics >working then if you need advice, ask here again - people will be glad to >help. It's relatively straightforward, but all the pieces might not be >documented in obvious places. >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
