hello, I have PAP fully working (wpa_suplicant get connected to wlan), no lucky with any EAP.
I'm thinking and want to have your opinion, what is better:
is it possible to get certificates auth working via Kerberos?
I'm thinking I'm misunderstaning how this certificates working
To use PEAP (Protected EAP) with MSCHAPv2 is workinh using MAC OS X, Ubuntu, Android, Windows XP (I tested this today).
To configure that you don't have to change anything on freeradius2 EAP. Just add a user with username an password.
On WLAN-AP (I used DD-WRT) you have to enable WPA Enterprise or WPA2 Enterprise. Then you have to enter th IP of the RADIUS server and the shared secret.
The IP of the WLAN AP and the shared secret you have to enter on freeradius NAS/Clients.
On the client you can should then choose PEAP and MSCHAPv2. You will be prompted to accept the CA-Certificate of the freeradius server.
Than you will be prompted for a username and password - thats the one you entered in freeradius2 users.
Than all should work. But this is only authorization with username/password. It is NOT TLS or TTLS. TLS means, that the client-certificate (client on your WLAN PC) hast to be valid with the CA on the freeradius server. I didn't get this work today, but I think there are some options on freeradius2 EAP GUI missing. I will check this.
The most secure thing would be to use certificates and username/password together.
If the username/password combination isn't to easy then I don't think that there is a big difference between using ONLY certs or ONLY user/pw.
PS: Check the pfsense docs for "FreeRADIUS 2.x package" - there are two documentations with screenshots. Perhaps this will help you. One is in german but really good screenshots.
And I will check additional options in EAP pulldown menues like MD5, TLS, TTLS and so on. But the freeradius configuration is rare configuration hints...as far as I could see this.
Any news on LDAP + AD ?
What/where do you mean to use "Kerberos auth with certificates" ?