How do I set up simple AD integration?

Burton, Steven sburton at shepherd-construction.co.uk
Wed Apr 12 16:16:21 CEST 2006



> -----Original Message-----
> From:
> freeradius-users-bounces+sburton=shepherd-construction.co.uk at l
> ists.freer
> adius.org
> [mailto:freeradius-users-bounces+sburton=shepherd-construction
> .co.uk at lis
> ts.freeradius.org]On Behalf Of Josh Howlett
> Sent: 12 April 2006 11:48
> To: FreeRadius users mailing list
> Subject: Re: How do I set up simple AD integration?
> 
> 
> Burton, Steven wrote:
> > 
> >> -----Original Message-----
> >> From:
> >> freeradius-users-bounces+sburton=shepherd-construction.co.uk at l
> >> ists.freer
> >> adius.org
> >> [mailto:freeradius-users-bounces+sburton=shepherd-construction
> >> .co.uk at lis
> >> ts.freeradius.org]On Behalf Of Alan DeKok
> >> Sent: 11 April 2006 16:28
> >> To: FreeRadius users mailing list
> >> Subject: Re: How do I set up simple AD integration? 
> >>
> >>
> >> "Burton, Steven" <sburton at shepherd-construction.co.uk> wrote:
> >>> This stanza is a enclosed with the mschap section, still 
> >> nothing ventured....
> >>> I changed the line and unfolded it and ran radiusd -X. The first
> >>> request didn't match anything usefull and was rejected by 
> System. I
> >>> tried again but ticked the box 'CHAP' on NTRadPing and got the
> >>> output:
> >>   You can't do CHAP to MS AD.  It's impossible.
> >>
> >>   Alan DeKok.
> > 
> > My bad! I'd been staring at mschap all day and I saw chap 
> and thought mschap.
> > I still hope to get 802.1x working with FR before I'm told 
> to stop wasting time and buy something :-) but after two and 
> a half days (on and off) I'm no closer.
> 
> Steve,
> 
> I strongly suggest you start off doing PEAP against the 'users' file, 
> and once that's working get the domain stuff working.
> 
> It sounds to me like you're trying to do too much at once, 
> and too many 
> things are broken for you to know where to start!
> 
> Once you've got PEAP working against the 'users' file, create 
> a machine 
> account in the AD for the RADIUS server (using the Samba 
> tools) and then 
> use the ntlm_auth program (that comes with Samba) to test standard 
> authentication.
> 
> Once you've got that far, it's just a matter of configuring 
> FreeRADIUS 
> to use ntlm_auth. But you can worry about that later :-)
> 
> This isn't difficult, it's largely a matter of making sure you do the 
> right steps in the right order...
> 
> best regards, josh.
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
Well, IT'S WORKING!! Thank you all for your help, advice and support.

Alas, I didn't backup the files last night so I'm not sure exactly what I did to make it work but I can now see it authenticating and then the connection is made. I have set it to put user names in the log and I hope to have it write accounting logs soon.

More worryingly, I'm seeing this error message in radiusd.log:

Wed Apr 12 13:20:48 2006 : Info: rlm_exec: Wait=yes but no output defined. Did y
ou mean output=none?
Wed Apr 12 13:20:48 2006 : Info: rlm_eap_tls: Loading the certificate file as a
chain
Wed Apr 12 13:20:48 2006 : Info: Ready to process requests.
Wed Apr 12 13:21:06 2006 : Error:     TLS_accept:error in SSLv3 read client cert
ificate A
Wed Apr 12 13:21:06 2006 : Info: rlm_eap_mschapv2: Issuing Challenge
Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost
 port 0)
Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5
0.45 port 26 cli 0012f0311af1)
Wed Apr 12 13:21:06 2006 : Error:     TLS_accept:error in SSLv3 read client cert
ificate A
Wed Apr 12 13:21:07 2006 : Info: rlm_eap_mschapv2: Issuing Challenge
Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost
 port 0)
Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5
0.45 port 26 cli 0012f0311af1)

AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms?

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________




More information about the Freeradius-Users mailing list