1

We are in the process of redoing our wireless access network and would like to know if there is any method to get Windows clients/users access to the network using 802.1x WITHOUT having an Active Directory server for authentication and WITHOUT installing additional software on each and every client. Note that we already use Radius servers, LDAP servers (all on CentOS). Users employ a variety of clients including Windows, Mac, Linux, Android, iOS.

ank
  • 700
  • 5
  • 13
  • 1
    Why not just use RADIUS authentication, when you already got the servers? – Frederik Sep 07 '12 at 09:47
  • Yeah, or LDAP... @ank really not sure why you think Active Directory is a requirement for 802.1x (WPA2 Enterprise). – gravyface Sep 07 '12 at 09:52
  • Thanks. As I understand it: Without a (software) supplicant on the Windows client during the authentication phase (password input) the Windows machine will encrypt (hash) it in a Windows proprietary way and therefore incompatible to the encryption mechanisms either on LDAP or Radius. Due to this, it is impossible to verify the correctness of the authentication data and provide a pass/fail response. Am I correct on this? – ank Sep 07 '12 at 10:02
  • 1
    @ank 99% sure you'll need MS-CHAP support, but there's an MS-CHAP plugin for FreeRADIUS (assuming that's what you're using). – gravyface Sep 07 '12 at 10:12

1 Answers1

5

802.1x does not use AD authentication normally - just RADIUS. RADIUS normally gets its information from AD, but that's only an option, not a requirement.

You could also use anything for authentication, e.g. a normal text-file accessed by freeradius.

The only problem is - it tends to get a little more work than AD.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
Truebsalgeblaese
  • 364
  • 1
  • 4