<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div><font size="2" color="navy" face="Arial">This isn't a comment on FreeRadius, but in our recent experiences with 802.1x and Windows XP clients it was a total waste of time. The built-in XP dot1x client is not up to the job. We had contractors in trying
to make it work and everything was perfect on the network setup. In the end, Windows XP simple had issues authenticating 100% of the time (probably closer to 65%). When you do get it to authenticate properly you'll run into problems with anyone else doing
an RDP to the Windows server (say your helpdesk folks) because re-authentication will kick in and drop the connection.
<br>
<br>
Your best bets are: Windows 7 for the improved dot1x client; scrap dot1x and do port-based access-lists; do VMPS with FreeRadius.<br>
</font></div>
<br>
<div>
<hr size="2" width="100%" align="center" tabindex="-1">
<font face="Tahoma" size="2"><b>From</b>: freeradius-users-bounces+jsmith=windmobile.ca@lists.freeradius.org <freeradius-users-bounces+jsmith=windmobile.ca@lists.freeradius.org>
<br>
<b>To</b>: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> <br>
<b>Sent</b>: Wed Oct 20 07:22:56 2010<br>
<b>Subject</b>: 802.1x host/machine authentication <br>
</font><br>
</div>
<div>Hi,<br clear="all">
</div>
<div><br>
</div>
<div>I have following setup</div>
<div><br>
</div>
<div>where windows host is connected to Cisco 2960 which is connected to Microsoft AD via RADIUS proxy</div>
<div><br>
</div>
<div>Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) -> Microsoft AD (2003)</div>
<div><br>
</div>
<div>In the above setup user authentication goes fine. I am using PEAP v1 authentication. </div>
<div><br>
</div>
<div>I am struggling hard to make host authentication successful. </div>
<div><br>
</div>
<div>When the machine boots I see radius Access-Request with User-Name = "host/<a href="http://radhost1.testad1.com">radhost1.testad1.com</a>" which qualifies to IPASS type realm and searches for realm as "host" and things do not work. </div>
<div><br>
</div>
<div>
<div>Please point me to links/docs or give me pointer where/how to start.</div>
</div>
<div><br>
</div>
<div>rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141, length=165<br>
User-Name = "host/<a href="http://radhost1.testad1.com">radhost1.testad1.com</a>"<br>
Service-Type = Framed-User<br>
Framed-MTU = 1500<br>
Called-Station-Id = "00-21-D7-00-51-89"<br>
Calling-Station-Id = "00-13-20-38-33-27"<br>
EAP-Message = 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d<br>
Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50009<br>
NAS-IP-Address = 192.168.6.200<br>
Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br>
Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...}<br>
Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok<br>
Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop<br>
Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop<br>
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for User-Name = "host/<a href="http://radhost1.testad1.com">radhost1.testad1.com</a>"<br>
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT"<br>
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name = "<a href="http://radhost1.testad1.com">radhost1.testad1.com</a>"<br>
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT"<br>
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL.<br>
Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok<br>
Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied. Ignoring.<br>
Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok<br>
Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied. Ignoring.<br>
Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok<br>
Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied. Ignoring.<br>
Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok<br>
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26 length 30<br>
Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation<br>
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated<br>
Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound<br>
Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop<br>
Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop<br>
Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop<br>
Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop<br>
Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP<br>
Wed Oct 20 07:27:48 2010 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>
Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...}<br>
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity<br>
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5<br>
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge<br>
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled<br>
Sending Access-Challenge of id 141 to 192.168.6.200 port 1645<br>
EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x6d4e1d1a6d5519217cdc7f95e535c25b<br>
Wed Oct 20 07:27:48 2010 : Info: Finished request 48.<br>
Wed Oct 20 07:27:48 2010 : Debug: Going to the next request<br>
Wed Oct 20 07:27:48 2010 : Debug: Waking up in 4.9 seconds.<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks & Regards</div>
<div><br>
</div>
-- <br>
Chidanand Gangur<br>
Pune.<br>
<br>
<hr>
<font face="Verdana" color="Gray" size="2">This message contains confidential information and is intended only for the individual named. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance
on the contents of this information is strictly prohibited.<br>
</font>
</body>
</html>