Hi, > We maintain a central AD with all the user accounts in it but there are no > machines associated with that AD.
any reasons for proxying to the NPS rather than binding the FR system into the AD and authenticating locally? > The self signed certificate works but people get prompted to accept it and > we were asked if it was possible for that to not happen. some clients may prompt for the RADIUS or CA certificate anyway. > The most likely users of this service would be the VIP types, it is > expected to "just work" so here I am. ah...the VIP types who 'just want it to work!' - and thus decide that security requirements are superfluous and get in the way. fine, you need to demonstrate the issue with a classic man in the middle attack - a couple of easy to boot systems exist which do that. > Self signed or commercial makes no difference as the certificate is only > used for server authentication. correct. > The only difference is users having to manually trust a cert or not. > Unless I am wrong. I would seriously advise that you look to having the right security in place and avoid users/clients having to configure their systems - ie an 802.1X deployment tool (such as XpressConnect from CloudPath) which will do all the work/configuration and installation of a CA for you as per your requirements - multi-platform and will do wireless and wired. (there are alternatives but none that are as feature-rich and support as many clients) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
