<div> </div>
<div>Well, yes - it does proxy them fine.. But is the request from the switch a MS-CHAP one? I don't think it is..</div>
<div> </div>
<div>The switch will be sending a PAP request, not a MS-CHAP one, and so you'll need to configure FreeRADIUS to take the PAP request and auth that against AD. As the switch isn't sending a MS-CHAP request then FreeRADIUS can't process it as such, and so MS-CHAP module returns noop. Unfortunately, I'm not clued up enough on FreeRADIUS to help you with this config, but in essence this is what I think you need to do to achieve your goal.<br>
</div>
<div class="gmail_quote">2008/12/3 Ben Little <span dir="ltr"><<a href="mailto:BLittle@skylight.com" target="_blank">BLittle@skylight.com</a>></span><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div><font size="2"></font>yeah I'm trying to authenticate and authorize administrative tty session to the cisco equipment itself, not 802.1x for clients on the network. If it's not possible I guess it's not possible. It does kind of make me wonder how the Cisco ACS works though because that 'proxies' radius or tacacs+ authen and author requests to active directory quite nicely.<br>
</div><br>
<div lang="en-us" dir="ltr" align="left">
<hr>
<font face="Tahoma" size="2"></font></div>
<blockquote style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<p>
<div lang="en-us" dir="ltr" align="left"><font face="Tahoma" size="2"><b>From:</b> freeradius-users-bounces+blittle=<a href="http://skylight.com/" target="_blank">skylight.com</a>@<a href="http://lists.freeradius.org/" target="_blank">lists.freeradius.org</a> [mailto:<a href="mailto:freeradius-users-bounces%2Bblittle" target="_blank">freeradius-users-bounces+blittle</a>=<a href="http://skylight.com/" target="_blank">skylight.com</a>@<a href="http://lists.freeradius.org/" target="_blank">lists.freeradius.org</a>] <b>On Behalf Of </b>Rupert Finnigan<br>
<b>Sent:</b> Wednesday, December 03, 2008 2:04 PM<br><b>To:</b> FreeRadius users mailing list<br><b>Subject:</b> Re: Beating a dead horse, or freeradius 2.1.1 and active directory<br></font><br></div>
<div>
<div></div>
<div>
<div></div>
<div>Hi,</div>
<div> </div>
<div>I'm not sure if what you're doing is going to work.. You're trying to use MS-CHAP to handle terminal session logins, I think.. Most of the MS-CHAP advise given so far is to get EAP working from a client, say a XP laptop doing 802.1X to gain access to a switchport.</div>
<div> </div>
<div>Someone will definitely correct me if I'm wrong, but I thought you could only do PAP (or CHAP???) for Authentication to a Terminal line. In which case, you either have to use the plain old users file, use a database such as mysql, or (probably a better solution) use the LDAP module to bind to the AD with the supplied username and password, and allow access if successful.</div>
<div> </div>
<div>Like I say - I'm really unsure on this one, but as no-ones replied for a while I though it might help...</div>
<div> </div>
<div>Thanks,</div>
<div> </div>
<div>Rupes<br><br></div>
<div class="gmail_quote">2008/12/3 Ben Little <span dir="ltr"><<a href="mailto:BLittle@skylight.com" target="_blank">BLittle@skylight.com</a>></span><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid"><br>PAP is working:<br><br>++[pap] returns updated<br>Found Auth-Type = PAP<br>+- entering group PAP {...}<br>
[pap] login attempt with password "secretz"<br>[pap] Using clear text password "secretz"<br>[pap] User authenticated successfully<br>++[pap] returns ok<br>+- entering group post-auth {...}<br>++[exec] returns noop<br>
Sending Access-Accept of id 21 to *.*.*.* port 1645<br> Cisco-AVPair = "shell:priv-lvl=15"<br>Finished request 1.<br>
<div>Going to the next request<br></div>
<div>Waking up in 4.9 seconds.<br></div>Cleaning up request 1 ID 21 with timestamp +431<br>Ready to process requests.<br><br>For some reason though, even when configured to do so, the authentication attempt coming from a switch or router is not being forwarded to the KDC. I have followed that how-to now to the letter and Active Directory is not working, however active directory and krb are both working fine on the server;<br>
<br>[wbinfo -a test%test output]<br>plaintext password authentication failed<br>Could not authenticate user test%test with plaintext password<br>challenge/response password authentication succeeded<br><br>I'm not sure what I am missing here? Why isn't the login attempt on the switch being forwarded to active directory? Is there something within the switch that meeds to be set? A radius attribute maybe to identify the login attempt as mschap?<br>
<div><br>><br>> Howto will show you how to set up and test with pap first:<br>><br><br></div>
<div>
<div></div>
<div>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></div></div></blockquote></div><br></div></div>
<p></p>
<p></p></p></blockquote></div><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>