Pfsense free raduis without CA certifications and peap + ms-chapv2



  • Hi, I've tried to search for the right information from last week or so but could not make this working. I'm running a pfsense server with 2xWan and 1xLan. On the Lan side I've 4x 802.11g APs of different make. All wifi clients take IPs from DHCP running on the pfsense box, so effectively the APs are running as bridge mode. Presently I'm on WPA shared key access, but want loginID/pass for each user without the hassles of server/client certificates. I know this can be done with a combination of peap+mschapV2 (win Xp/7 clients).

    I did the radius server setup using a guide here http://blog.vannuil.com/2008/10/wpa2-enterprise.html (note I've not generated any certificate on the server, thus everything is at its default)

    Now my iphone is able to conect to the network, but with windows clients, the server would just not validate the login credentials. Any guidance in the right direction will be highly appreciated.



  • as he says in the post:

    windows itself has no native eap-ttls support. you have to go with  third party like w2secure which is free. (at least the eap-ttls-implementation)

    to simplify:

    on eap-tls the client is in need of a certificate to authenticate the machine over a certificate authority to the server, then authenticate the user with password through a secure connection in a more or less secure way (MS-CHAP).

    on eap-ttls (tunneled) to client pushes its credentials trough a tunnel where ONLY the server has to prove authentication (therefore you have to install the CA on the clients), then establishes a secure connection. (a bit like https)
    since the user credentials are sent trough a secure tunnel, it doesn't matter that auth. for the user are doing PAP which is unencrypted ASCII.

    you can see ttls often a university's or companys, with regular changing users..


Log in to reply