-----BEGIN PGP SIGNED MESSAGE----- At 16:18 -0500 06/23/2005, Michael Griego wrote: >One quick warning here. Be very careful about running Steel Belted >RADIUS on Windows doing domain authentication or IAS in an environment >where the machines authenticating via 802.1x are *not* domain member >machines with users logging in via domain accounts. The builtin WinXP >supplicant refuses to reprompt the user for his new password if his >domain password is changed. It keeps trying to auth with the old >password, resulting in an eventual account lockout. You have to >actually remove the registry key that contains the cached network >credentials to get the machine to stop attempting to auth with the bad >credentials. The only ways to get around this are to a) make sure all >machines are domain members and the users are logging in with their >domain accounts or b) don't use IAS or SBR. We use FreeRADIUS, and we >don't have this problem with our student laptops.
So your FreeRADIUS box authenticates directly to Active Directory? This isn't a problem with MS-CHAPv2, is it? We know we can't have FreeRADIUS authenticate to LDAP with MS-CHAPv2 because our passwords are encrypted on the LDAP server. Thanks!! -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQEVAwUBQsr1ly5elU+tqml1AQFIqQgAn0lV0D/1AJoNxO2cA8UzYf0s8hRvqnLz KC1wa/F1hERUCP4faLqZssyTMtNfyHzTMaDXRqpTDFxyMPxm5PuJTYH0J3Sh5l+k cfUQ+ehTnws3iOJKp61vemRbS9+63OKa49BiZgqP8pvcngzj6ow5QQyuqdevw9xG Z7xQej0lUVtfLRnYkEzm8++9hJKJ1djiXukRGtrzrIGAv21JidPF9jhqaIOsEYZm xSaMoysoqitJu1Ztu/hN5U2NF7pLkcq4IAsVDJJXDe9FIoXCTrxGLzeUDCYpUHsn m7Rsgl3Q+zKAoKHP0zqe0PwsQIv4M2tmoJFcKeNgkm5Xo0UictMXeQ== =k9Fk -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
