FreeRADIUS + Cisco + Active Directory

Rashad Hall trynot24 at gmail.com
Mon Dec 28 23:18:20 CET 2015 

There are two separate policies (virtual servers: WIFI and NETdevs) for
each authentication method. The debug output is only for the NETdevs
virtual server which does not use EAP-TLS. Again the wireless policy is
solid and we have been running for several months with no problems, server
is not broken I just can't get the right order I guess. The new policy is
where I am having trouble, I am guessing I am to use PAP and authorize with
ntlm_auth?

On Mon, Dec 28, 2015 at 2:04 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Dec 28, 2015, at 3:45 PM, Rashad Hall <trynot24 at gmail.com> wrote:
> > I am pretty sure my approach to this is all wrong so I've decided to seek
> > the help of the experts.
>
>   That's always useful.
>
> > I have configured a FreeRADIUS server that authenticates our wifi users
> > with EAP-TLS and will also authenticate users for our network devices.
>
>   OK.
>
> > Our
> > network devices are mainly Cisco and I need these devices to authenticate
> > users based on their Active Directory credentials.
>
>   Then you can't do EAP-TLS.  EAP-TLS is certificate authentication.
> There is no password.  So you can't check the password against AD...
> because the password isn't in EAP-TLS.
>
> > Wifi portion is
> > complete, but having trouble with using FreeRADIUS to check AD
> credentials
> > correctly.
>
>   See http://deployingradius.com
>
>   It has guides to Active Directory and EAP.
>
> > I decided to use MSCHAP (my mistake I believe) for
> > Authentication
>
>   Which isn't an EAP method, and can't be used for 802.1X authentication.
>
> > and my "radtests" are successful, but when trying to log
> > into a switch I set up for testing I am unsuccessful.
>
>   Run the server in debugging mode to see why.
>
> > I believe the switch
> > only uses PAP and does not have the capability to use MSCHAP but I am
> > unsure of how to set up PAP to query AD or somehow convert the PAP
> request
> > into an MSCHAP request server side.
>
>   See http://deployingradius.com
>
> > Can anyone tell me the best most secure
> > approach to accomplishing my goal (if possible, I must suck at Googling)?
>
>   http://deployingradius.com
>
>   It's been up for 10 years now.
>
> > In the future I'd also like to assign Cisco priv levels based on groups a
> > user belongs to in AD. Below is debug output showing first a successful
> > radtest and then the unsuccessful login into the switch.
> >
> > radiusd -X
>
>   You've massively edited the configuration files and broken the server.
> Don't do that.
>
>   Start with the default configuration, and then follow the guide from my
> web page.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list