Hi Alan, Thanks for your insight, you are absolutely correct regarding the issues. I will have to find a compromise that is acceptable by everyone.
> > > We maintain a central AD with all the user accounts in it but there > are no > > machines associated with that AD. > > any reasons for proxying to the NPS rather than binding the FR system into > the AD > and authenticating locally? > Only that the FR site mentioned it to be complicated and we already have an NPS that we are otherwise happy with. Looks like this would be the best option. > > > The self signed certificate works but people get prompted to accept > it and > > we were asked if it was possible for that to not happen. > > some clients may prompt for the RADIUS or CA certificate anyway. > > > The most likely users of this service would be the VIP types, it is > > expected to "just work" so here I am. > > ah...the VIP types who 'just want it to work!' - and thus decide that > security > requirements are superfluous and get in the way. fine, you need to > demonstrate the > issue with a classic man in the middle attack - a couple of easy to boot > systems > exist which do that. > > > Self signed or commercial makes no difference as the certificate is > only > > used for server authentication. > > correct. > > > The only difference is users having to manually trust a cert or not. > > Unless I am wrong. > > I would seriously advise that you look to having the right security in > place and avoid > users/clients having to configure their systems - ie an 802.1X deployment > tool (such > as XpressConnect from CloudPath) which will do all the work/configuration > and installation > of a CA for you as per your requirements - multi-platform and will do > wireless and wired. > (there are alternatives but none that are as feature-rich and support as > many clients) > Will definitely look into that. The difficulty is that some of the users are so remote from us that our only encounter with them is seeing a log entry. This is a global solution very removed from the local tech team, only used to let roaming users on the wireless network. We are providing a radius so they don't have to maintain a full copy of all the users in the network (network of companies). It's a continuous headache for us. > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Bertalan Voros m: 07932858025
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
