802.1x host/machine authentication

Chidanand Gangur chidanand.gangur at gmail.com
Wed Oct 20 19:39:55 CEST 2010


Thanks Phil.
I am still not clear.. I just want to proxy the host authentication request
to the actual RADIUS server which is Microsoft AD. In such cases what
configuration is required on proxy server? Can it be done?

Well I mentioned realm type as IPASS  as IPASS type is of format
realm/username as mentioned in modules/realm file.

Hence forth I will post full logs.

Thanks,
Chidanand


On Wed, Oct 20, 2010 at 7:47 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> On 20/10/10 12:22, Chidanand Gangur wrote:
>
>> Hi,
>>
>> I have following setup
>>
>> where windows host  is connected to Cisco 2960  which is connected to
>> Microsoft AD via RADIUS proxy
>>
>> Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
>> Microsoft AD (2003)
>>
>> In the above setup user authentication goes fine. I am using PEAP v1
>> authentication.
>>
>> I am struggling hard to make host authentication successful.
>>
>> When the machine boots I see radius Access-Request with User-Name =
>> "host/radhost1.testad1.com" which
>> qualifies to IPASS type realm and searches for realm as "host" and
>> things do not work.
>>
>
> No - it's not an IPASS realm. You need to disable the IPASS module.
>
> host/machine.domain.com
>
> corresponds to:
>
> DOMAIN\machine$
>
> i.e. the machine account.
>
> The "mschap" module can expand this, for example if you have the
> "ntlm_auth" helper to authenticate MS-CHAP against a windows domain using
> samba as a helper:
>
> ntlm_auth = "... --username=%{mschap:User-Name} ..."
>
> ...will do the right thing.
>
>
>
>> Please point me to links/docs or give me pointer where/how to start.
>>
>
> Post the full debug output, not an edited version.
>
>
>  Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
>> Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
>> Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
>>
>
> This is EAP-MD5. You have not configured your windows client correctly.
> Configure it correctly for PEAP/MS-CHAP.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Chidanand Gangur
Pune.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101020/1e0688ff/attachment.html>


More information about the Freeradius-Users mailing list