On 07/05/14 16:33, Richard Long wrote:
Hi all, I'm a bit stuck. I've stood up a CentOS server with FreeRADIUS so I can authenticate against Active Directory using a Cisco Wireless Controller. As you can see from the output below, I've got ntlm_auth and radtest working correctly, however, the wireless controller doesn't seem to be passing passwords to FreeRADIUS. I very obviously got something wrong in my setup, but I can't figure out what. I appreciate any help.
Few things for background, because terminology matters: First, the wireless controller doesn't "send passwords" (unless you're doing web auth). It forwards the EAP traffic from the wireless client. Second, the only valid EAP methods for WPA-Enterprise are those which generate keying material - typically, but not exclusively, TLS-based methods. In almost every case, the password is not available, and in the few cases it is, only *after* EAP has completed a TLS exchange. Third, you are further limited by the intersection of the EAP methods your client base supports and your password store can authenticate. See here for more information: http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html Looking at your debugging, the problem is that you've put the "ntlm_auth" module into authorize like this: authorize { ... ntlm_auth ... } That's not what you want. The (unfortunately named) "ntlm_auth" module checks username/password. As above, wireless clients don't send this - they speak one or more EAP methods. In any event, you don't want to put that module there; it would live in "authenticate" and you'd use an "Auth-Type" directive to direct to it, as described here: http://deployingradius.com/documents/configuration/active_directory.html Remove the "ntlm_auth" module from your config. What you actually want is to take the default config and: 1. Edit "modules/mschap". Uncomment and put appropriate values for the "ntlm_auth" option of *that* module 2. Start the server and test