Following on from this, I've just had a read of my radiusd.conf file. I'd start by having a look at the ldap module, specifically around the: # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. bit.. This might provide the answer you're looking for. Rupes 2008/12/3 Rupert Finnigan <rupert.finnigan@googlemail.com>
Well, yes - it does proxy them fine.. But is the request from the switch a MS-CHAP one? I don't think it is..
The switch will be sending a PAP request, not a MS-CHAP one, and so you'll need to configure FreeRADIUS to take the PAP request and auth that against AD. As the switch isn't sending a MS-CHAP request then FreeRADIUS can't process it as such, and so MS-CHAP module returns noop. Unfortunately, I'm not clued up enough on FreeRADIUS to help you with this config, but in essence this is what I think you need to do to achieve your goal. 2008/12/3 Ben Little <BLittle@skylight.com>
yeah I'm trying to authenticate and authorize administrative tty session to the cisco equipment itself, not 802.1x for clients on the network. If it's not possible I guess it's not possible. It does kind of make me wonder how the Cisco ACS works though because that 'proxies' radius or tacacs+ authen and author requests to active directory quite nicely.
------------------------------
*From:* freeradius-users-bounces+blittle=skylight.com@ lists.freeradius.org [mailto:freeradius-users-bounces+blittle<freeradius-users-bounces%2Bblittle> =skylight.com@lists.freeradius.org] *On Behalf Of *Rupert Finnigan *Sent:* Wednesday, December 03, 2008 2:04 PM *To:* FreeRadius users mailing list *Subject:* Re: Beating a dead horse, or freeradius 2.1.1 and active directory
Hi,
I'm not sure if what you're doing is going to work.. You're trying to use MS-CHAP to handle terminal session logins, I think.. Most of the MS-CHAP advise given so far is to get EAP working from a client, say a XP laptop doing 802.1X to gain access to a switchport.
Someone will definitely correct me if I'm wrong, but I thought you could only do PAP (or CHAP???) for Authentication to a Terminal line. In which case, you either have to use the plain old users file, use a database such as mysql, or (probably a better solution) use the LDAP module to bind to the AD with the supplied username and password, and allow access if successful.
Like I say - I'm really unsure on this one, but as no-ones replied for a while I though it might help...
Thanks,
Rupes
2008/12/3 Ben Little <BLittle@skylight.com>
PAP is working:
++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "secretz" [pap] Using clear text password "secretz" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 21 to *.*.*.* port 1645 Cisco-AVPair = "shell:priv-lvl=15" Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 21 with timestamp +431 Ready to process requests.
For some reason though, even when configured to do so, the authentication attempt coming from a switch or router is not being forwarded to the KDC. I have followed that how-to now to the letter and Active Directory is not working, however active directory and krb are both working fine on the server;
[wbinfo -a test%test output] plaintext password authentication failed Could not authenticate user test%test with plaintext password challenge/response password authentication succeeded
I'm not sure what I am missing here? Why isn't the login attempt on the switch being forwarded to active directory? Is there something within the switch that meeds to be set? A radius attribute maybe to identify the login attempt as mschap?
Howto will show you how to set up and test with pap first:
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html