Frank is right that PEAP requires that the passwords be stored in a
specific format. We tried to use FreeRadius and OpenLDAP with PEAP but
couldn't get it to work because it required that we store the passwords
in the LDAP database in either clear text or NTLM hash. We store our
passwords in a more secure (and not supported by MSCHAPv2) format so we
had to move to EAP-TTLS with PAP.
Also, if it helps, this site has some setup instructions that you may
find helpful: http://vuksan.com/linux/dot1x/802-1x-LDAP.html
Ryan.
Frank Bulk wrote:
I'm sure you could use LDAP is you stored your passwords in the format
necessary for MSCHAPv2, but the problem is that with LDAP most often the
passwords is clear text or some other format.
Frank
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of John York
Sent: Tuesday, August 26, 2008 9:27 AM
To: [email protected]
Subject: Re: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ?
I've been wanting to do PEAP with an ldap backend, but could never find
a way to do it. EAP needs authentication traffic that RADIUS supports,
but ldap doesn't. In fact, TTLS with secureW2 was recommended to me as
the way to do it--unfortunately, our Cisco ACS doesn't support TTLS. We
do use PEAP with the built-in Vista client and authentication from Cisco
ACS to a Windows RADIUS (IAS) backend. It works fine (assuming the ADS
guys cooperate--don't know why they wouldn't, since IAS is easy to
configure.) If you find a combination that will let you use PEAP and an
ldap backend, please let me know.
Thanks
John
John York
Network Engineer
Blue Ridge Community College
Weyers Cave, VA
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Philippe Hanset
Sent: Tuesday, August 26, 2008 10:06 AM
To: [email protected]
Subject: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ?
All,
We want to move to EAP-PEAP instead of EAP-TTLS (secure W2),
and try to use the built-in client in Vista and XP.
We use RADIATOR for RADIUS and have two identical back end directories:
LDAP and Active Directory.
Considering the hashing issue that MSchapV2 introduces we want to
authenticate against AD. But our AD admin is giving us a hard time.
He wants us to join his domain and do NTSM/Kerberos.
This involes a lot of SAMBA and I'm more of a Tango guy!
Is there a better way with UNIX Based RADIUS (RADIATOR in our case)?
Thank you in advance,
Philippe
----------------------------------
Philippe Hanset
University of Tennessee, Knoxville
Office of Information Technology
Network Services
108 James D Hoskins Library
1400 Cumberland Ave
Knoxville, TN 37996
Tel: 1-865-9746555
----------------------------------
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
