On Tue, May 21, 2013 at 08:03:48AM +0100, Franks Andy (RLZ) IT Systems Engineer wrote: > Just confirming that I've tested this in the past and it works, but I > believe the poster of the article is dubious about a production > environment.
Not at all - we are running it in production. The warning at the bottom is to make you think about what you're doing first, rather than to blindly copy my examples and then open yourself up to security issues that you haven't thought through. The examples are stripped down to their utter bare minimum - which is unlikely to be what you want in production. > When I tried it on wifi it took a second or so more to > authenticate for some reason, so we eventually went with eap-tls > instead because of this and because it was simpler. I did also > get quite a few "The EAP message did not complete" but that > could be coincidental. It's been running fine here with a lot of laptops for over a year now. We usually see the "EAP did not complete" errors from bad wireless signals or misconfigured EAP timers. As the article says - the only real benefit is to get SoH data from the device. If you don't want/need that, you're fine with plain EAP-TLS (and with less round trips, it will auth faster, too). Cheers Matthew -- Matthew Newton, Ph.D. <[email protected]> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <[email protected]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
