<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";
mso-believe-normal-left:yes;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
color:black;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<![if mso 9]>
<style>
p.MsoNormal
{margin-left:3.35pt;}
</style>
<![endif]>
</head>
<body lang=EN-US link=blue vlink=blue style='margin-left:3.35pt;margin-top:
3.35pt;margin-right:3.35pt;margin-bottom:.85pt'>
<div class=Section1>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>Yeah, not sure what “Abooba”
does when it terminates PEAP, but it weirds things out sometimes. Still
doesn’t explain why XP just worked but W7 had bunches of issues, but I
can attest that making the Abooba controllers pas *eap to FR works better –
maybe works 100%.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>The only thing we noticed is, if Abooba
does NOT terminate PEAP – there is no “local” login option
available. We had our two FR servers configured as well as local login
(as last resort). I guess now we need to be REALLY sure at least one FR
server is up all the time!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>G<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='margin:0in;margin-bottom:.0001pt;
text-align:center'><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal style='margin:0in;margin-bottom:.0001pt'><b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Mark Jones<br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, May 19, 2011 12:15
PM<br>
<b><span style='font-weight:bold'>To:</span></b>
freeradius-users@lists.freeradius.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: Renaming during
Machine Authentication</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal style='margin:0in;margin-bottom:.0001pt'><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>This is on a
samba domain Phil as per the cool solutions article I mentioned in an earlier
post. I am looking into my <st1:place w:st="on">Aruba</st1:place> settings now
for termination<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal style='margin:0in;margin-bottom:.0001pt'><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal style='margin:0in;margin-bottom:.0001pt'><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>Mark<br>
<br>
>>> Phil Mayers <p.mayers@imperial.ac.uk> 5/19/2011 1:58 AM
>>><br>
<br>
> User-Name = "host/TECH-11501"<br>
<br>
Machines which are in the domain normally have this as:<br>
<br>
host/name.domain.com<br>
<br>
i.e. there is a "domain.com" at the end of the name.<br>
<br>
The absence of that suggests to me that the machine is not a domain <br>
member. Is that the case? If so, it cannot do machine auth.<br>
<br>
> Calling-Station-Id = "00265EE9B2CA"<br>
> Called-Station-Id = "000B86611894"<br>
> MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd<br>
> MS-CHAP2-Response =<br>
> 0x0700226e95f1d0ae4efe8f381fd3714c7b0f0000000000000000904f33f5941ab6017f433da0f45438dc665447e9d6510a2d<br>
> Service-Type = Login-User<br>
> Aruba-Essid-Name = "HPSD_RAD2"<br>
> Aruba-Location-Id = "Tech 01"<br>
<br>
Great. More <st1:place w:st="on">Aruba</st1:place>, probably terminating the
PEAP locally. What a junky <br>
product.<br>
<br>
See other posts on the list in the past few days - you should DISABLE <br>
"terminate PEAP" (or whatever the option is) on your <st1:place
w:st="on">Aruba</st1:place> equipment, <br>
and let it do the EAP/PEAP.<br>
<br>
> +- entering group MS-CHAP {...}<br>
> [mschap] Creating challenge hash with username: host/TECH-11501<br>
> [mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password<br>
> [mschap] FAILED: MS-CHAP2-Response is incorrect<br>
<br>
Hmm. Indicating the password is not correct or the EAP has been fiddled <br>
with.<br>
-<br>
List info/subscribe/unsubscribe? See <a
href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><o:p></o:p></span></font></p>
</div>
<p class=MsoNormal style='margin:0in;margin-bottom:.0001pt'><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'><o:p> </o:p></span></font></p>
<p><b><font size=2 face="Times New Roman"><span style='font-size:10.0pt;
font-weight:bold'>This communication is intended for the use of the recipient
to which it is addressed and may contain confidential, personal and/or
privileged information. If you received this e-mail in error, please advise me
(by return e-mail or otherwise) immediately.</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> <o:p></o:p></span></font></p>
</div>
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
</body>
</html>