Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend

Mike Loosbrock m-loosbrock at bethel.edu
Wed Apr 8 21:04:49 CEST 2009


On Apr 8, 2009, at 11:28 AM, john wrote:

> Can you suggest a way to test the cert?

Well, you can use the openssl utility to see what your server  
certificate contains:

$ openssl x509 -text -in <server-cert-file>

> Wireshark tells me that my 3Com 3226 switch is sending an eap reject
> immediately after I connect the supplicant to a port protected with
> .1x. I don't see any traffic between the switch and freeradius so I am
> wondering if the switch doesn't support peap? Perhaps I should back
> off and try md5 or something?

Your switch doesn't *need* to support any particular EAP type because  
the EAP exchange is actually between the supplicant and RADIUS. Your  
switch just passes the messages back and forth between the two. If you  
see your switch doing EAP with the supplicant (i.e. EAP is happening,  
but you don't see it at the RADIUS server), your switch may be doing  
what some vendors call 'EAP off-loading'. In other words, the switch  
is handling EAP to get at the credentials it eventually authenticates  
against RADIUS. But I don't know if 3Com switches do this, and if they  
do, it's probably not default.

> Also since I am throwing out the litany of my ignorance I haven't
> solved in a good way a complaint that I get when I am testing via
> 'wbinfo -a username%password'. I've had to chmod 777
> /var/run/samba/winbindd_privileged in order to use the socket, of
> course restarting winbind resets the perms here. I saw something about
> enabling extending acls's on the file  system to work around this
> issue. I'd be interested to know what you ended up doing.

Just add the freerad user to the winbindd_priv group.

Mike Loosbrock
Bethel University Network Services
651-638-6723




More information about the Freeradius-Users mailing list