On Dec 28, 2015, at 3:45 PM, Rashad Hall <trynot24@gmail.com> wrote:
I am pretty sure my approach to this is all wrong so I've decided to seek the help of the experts.
That's always useful.
I have configured a FreeRADIUS server that authenticates our wifi users with EAP-TLS and will also authenticate users for our network devices.
OK.
Our network devices are mainly Cisco and I need these devices to authenticate users based on their Active Directory credentials.
Then you can't do EAP-TLS. EAP-TLS is certificate authentication. There is no password. So you can't check the password against AD... because the password isn't in EAP-TLS.
Wifi portion is complete, but having trouble with using FreeRADIUS to check AD credentials correctly.
See http://deployingradius.com It has guides to Active Directory and EAP.
I decided to use MSCHAP (my mistake I believe) for Authentication
Which isn't an EAP method, and can't be used for 802.1X authentication.
and my "radtests" are successful, but when trying to log into a switch I set up for testing I am unsuccessful.
Run the server in debugging mode to see why.
I believe the switch only uses PAP and does not have the capability to use MSCHAP but I am unsure of how to set up PAP to query AD or somehow convert the PAP request into an MSCHAP request server side.
See http://deployingradius.com
Can anyone tell me the best most secure approach to accomplishing my goal (if possible, I must suck at Googling)?
http://deployingradius.com It's been up for 10 years now.
In the future I'd also like to assign Cisco priv levels based on groups a user belongs to in AD. Below is debug output showing first a successful radtest and then the unsuccessful login into the switch.
radiusd -X
You've massively edited the configuration files and broken the server. Don't do that. Start with the default configuration, and then follow the guide from my web page. Alan DeKok.