Education

Reply
Occasional Contributor II
Posts: 10
Registered: ‎04-12-2007

Rolling out WPA 802.1x with GTC

"Show of hands ?"

Anyone roll out WAP2 802.1x with support only for EAP-GTC ( and forgetting about MSCHAP ?) and are happy about it ?

- MSCHAP for us is looking like too big of a hurlte...
- Wanting to use MSCHAP because of windows native support

The EAP-GTC works just fine, It's just client support can be tricky at times....
Guru Elite
Posts: 20,582
Registered: ‎03-29-2007

Rolling out GTC

There are quite a number of users that use GTC because they have LDAP and they want to do encryption. This involves using EAP-GTC as the inner EAP type and installing a GTC supplicant like Odyssey or SecureW2 on clients. Most of these users are in higher education. One of your biggest issues is training your helpdesk to install and troubleshoot these clients.

If you wanted to allow users to use their native supplicant and do EAP-MSChapV2, you would have to make sure that your LDAP tree or structure uses passwords that are in cleartext or NTLM-hashed (http://deployingradius.com/documents/protocols/compatibility.html). When you do this, you can use Freeradius to authenticate users with MSChapV2 and their native supplicants. There are a number of ways to do this and it normally results in all users having to change their passwords if you change the hash. An alternate method is have a password change mechanism that when users change their password, it writes the new password to both LDAP and Active Directory. When you get that working, you can then authenticate users against Active Directory with their native supplicants using Internet Authentication Server.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: