Help with chap

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Sun May 19 00:11:36 CEST 2013


Thanks Alan,
  It takes literary a second or so for a single client auth, but
problems arise with multiple clients. I'll reset a card on the switch
and capture the logs and see what's happening. Nothing as far as I
remember pointed towards the ntlm_auth being the issue, it was the
failure to complete the eap transaction that seemed to be the problem,
but then I didn't scan each and every line to be honest.
I'll post back.
Thanks
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: 18 May 2013 13:37
To: FreeRadius users mailing list
Subject: Re: Help with chap

Franks Andy (RLZ) IT Systems Engineer wrote:
> ... It worked brilliantly in testing, but come
> production, when i reboot the switch or clear the authentication on
the
> ports it can take up to ten minutes for 10-15 clients to authenticate,

  That's bad.  10-15 clients should be done in a second or so.

  My guess is that the ntlm_auth process is taking a *long* time.  Maybe
your DNS settings are broken.

  Set up a test server.  Run it in debugging mode and see.  If the
authentication takes more than a second or so (wtih debug messages),
something is wrong.

> - Synch the content of the AD OU I have the mac address "users" in to
an
> SQL database, maybe using vbscript/.net, including any state
information
> like whether the account is disabled or expired and test against these
> custom fields during authentication.

  That will work for MS-CHAP.  Not for CHAP.

> The authorisation process I
> currently have running against ldap doesn't pick up the account
> information being expired, maybe I need to look into this. I want to
be
> able ideally to feed information back following a successful
> authentication to a custom attribute in AD, which is quite possible
with
> an SQL database as an "intermediary", for example switch and port ID,
> useful stuff to know. I can't think of any native linux apps that can
> change AD attributes, excluding samba doing groups and passwords,
maybe
> there is one?

  A normal LDAP client should work.

> - Use ldap as an authentication method? I know that AD will never give
> me back a password, but since this is mac authentication I was
wondering
> if in the authorisation bit of the virtual server I could update the
> cleartext-password attribute based on the username as the two details
> are always identical in mac based auth, and then perform
authentication
> with a known password. Maybe this would pick up locked usernames
> instead, again not sure about MS ldap in this area, never tried.

  If it's MAC authentication, then FreeRADIUS can do the CHAP checking
itself.  And there's no point in doing *more* authentication.  The only
reasonable thing to do is various checks in LDAP for the MAC address.

> - use nps as a proxy for the authentication. I don't really want to do
> this, but nps will (I think) allow chap / AD authentication.

  No, it won't.  It's impossible.

> Any ideas which of these / other would be the right direction to
follow?
> Need to do this in a hurry as the next switch is rolling out soon so
> don't have time to look into all of them..

  Step 1: find out what's wrong with the current system.

  If something is broken, fix it.  Don't work around the problem.  That
makes it worse.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list