FR + AD host/ machine/ workstation authentication

Jacob Jarick mem.namefix at gmail.com
Fri Jul 6 10:37:59 CEST 2007


quick question,
should machine authentication work if I follow the howto on a base
system or will I need to add attr_rewrite's as suggested in the novell
howto.

On 7/6/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
> config on client follows exactly what the howto reccomends with the 1
> change of checking "authenticate as computer when computer information
> is available". Which as you can see does attempt to auth.
>
> The cert options are set as in this picture:
> http://wiki.freeradius.org/Image:100000000000017F000001D2C7856F9F.png
>
> I just reread this section here on the howto "Certificate validation
> is strongly recommended for wireless configurations, and optional for
> wired deployments.
>
> Select « Validate server certificate » and check ONLY the CA for your
> FreeRADIUS server (the one you installed above). Also select « Connect
> to these servers » and enter the Common Name of the server
> certificate.
>
> If you are configuring a wired ethernet interface, you can leave
> certificate verification off in your supplicants: just deselect «
> Validate server certificate ».
>
> Either way, select « EAP-MSCHAP v2 » as authentication method. Click
> the « Configure » button next."
>
> So I will enable cert validation retry and post back.
>
> Cheers for the info /tip :)
>
> On 7/6/07, A.L.M.Buxey at lboro.ac.uk <A.L.M.Buxey at lboro.ac.uk> wrote:
> > Hi,
> >
> > > This url here looks like what I need
> > > http://support.novell.com/docs/Tids/Solutions/10100693.html but their
> > > instructions are pretty lousy "For machine-based authentication or
> > > user based authentication, modify the RADIUSD.CONF file by adding the
> > > following lines:" doesnt say where or what section to add said lines
> > > to and we all know how touchy the radiusd.conf file is.
> >
> > those parts can go pretty much anywhere in the main config file - eg
> > stick them at the end of the file.
> >
> > from what I can see of the log the NTLM is working fine - the NTKEY
> > reply matched and its all okay. which leaves me to assume that a
> > config on the client isnt correct - is the machine configured to validate
> > the RADIUS server and does it have the correct 'tick' for the certificate
> > and host name for the server to validate?
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>




More information about the Freeradius-Users mailing list