@Marco.Pistolesi wrote:
you are telling me that it is the client the one asking for MSCHAPv2, did i understood it right ?
if so i have another question: my clients are 95% Mac OSX, they can authenticate using SSHA and they are actually doing on the file server ( afp share -> netatalk -> ldap with ssha) and VPN (default OSX client -> l2tp -> openswan -> radius -> ldap) do you know if there's a way to force them using SSHA instead MSCHAPv2 whithout install a custom supplicant ? as you wrote before i undertsood no, is it right ?
All clients support MsChapv2. That is because active directory is so pervasive.
If 95% of your clients are MACs, they support EAP-GTC, so you could:
1. Configure an LDAP server on the controller to point directly to your LDAP server internally (no need for FreeRadius) - Go to Configuration> Security> Authentication> LDAP Server to set this up on an Aruba Controller
2. Test the LDAP server on the Aruba Controller by going to Diagnostics> AAA Test Server on the Aruba Controller and test a valid username and password. Make sure it works before preceding to the next step.
3. Setup a different SSID using the WLAN/LAN Wizard and point it to your LDAP server. It should automatically enable EAP-Termination on the Aruba Controller. You can go back in the 802.1x profile and ensure that the termination type is EAP-GTC.
4. When the SSID is broadcast, you can just click on it with your mac, and it will ask you for your username and password and it should work. No Freeradius is necessary, because MACs support EAP-GTC. As you can see from the chart here: http://deployingradius.com/documents/protocols/compatibility.html EAP-GTC has the best support for types of encrypted passwords. Unfortunately, outside of macs, it has limited support (some mobile devices like Android and IOS do support it, but Windows requires a supplicant).
A how-to on how to ensure that EAP-GTC is configured is here: https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-406