There are two separate policies (virtual servers: WIFI and NETdevs) for each authentication method. The debug output is only for the NETdevs virtual server which does not use EAP-TLS. Again the wireless policy is solid and we have been running for several months with no problems, server is not broken I just can't get the right order I guess. The new policy is where I am having trouble, I am guessing I am to use PAP and authorize with ntlm_auth? On Mon, Dec 28, 2015 at 2:04 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 28, 2015, at 3:45 PM, Rashad Hall <trynot24@gmail.com> wrote:
I am pretty sure my approach to this is all wrong so I've decided to seek the help of the experts.
That's always useful.
I have configured a FreeRADIUS server that authenticates our wifi users with EAP-TLS and will also authenticate users for our network devices.
OK.
Our network devices are mainly Cisco and I need these devices to authenticate users based on their Active Directory credentials.
Then you can't do EAP-TLS. EAP-TLS is certificate authentication. There is no password. So you can't check the password against AD... because the password isn't in EAP-TLS.
Wifi portion is complete, but having trouble with using FreeRADIUS to check AD credentials correctly.
See http://deployingradius.com
It has guides to Active Directory and EAP.
I decided to use MSCHAP (my mistake I believe) for Authentication
Which isn't an EAP method, and can't be used for 802.1X authentication.
and my "radtests" are successful, but when trying to log into a switch I set up for testing I am unsuccessful.
Run the server in debugging mode to see why.
I believe the switch only uses PAP and does not have the capability to use MSCHAP but I am unsure of how to set up PAP to query AD or somehow convert the PAP request into an MSCHAP request server side.
See http://deployingradius.com
Can anyone tell me the best most secure approach to accomplishing my goal (if possible, I must suck at Googling)?
It's been up for 10 years now.
In the future I'd also like to assign Cisco priv levels based on groups a user belongs to in AD. Below is debug output showing first a successful radtest and then the unsuccessful login into the switch.
radiusd -X
You've massively edited the configuration files and broken the server. Don't do that.
Start with the default configuration, and then follow the guide from my web page.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html