Does anyone have a front end interface they like to use? Daloradius does not seem to support LDAP/AD when showing users connected to AP's. Thanks Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 4:57 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Ok I am almost done with all the questions... Now when I go to login to wifi I am able to download cert and everything but I get an authentication failure. I have read most of it and am a little confused. Just wondering if any one had better insight on this.
look, I take it that you are new to FreeRADIUS - but surely you have read the output that you've posted to this list...and seen what it is that is different to the request now using EAP compared to when you were testing with radtest....
[peap] Setting User-Name to CORP\aschappell
look - CORP/aschappell is what was sent through from your client, through the NAS to your RADIUS server
User-Name = "CORP\\aschappell"
see...part of the RADIUS datagram
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
EAP is working okay...you got into the inner-tunnel
[ldap] performing user authorization for CORP\aschappell
[ldap] expand: %{Stripped-User-Name} ->
stripped-user-name is blank because the user-name didnt match any of your prefix or suffix rules...so its kept the same.
[ldap] object not found
[ldap] search failed
..and unlike your plain test, this fails now.
...and because this fails, everything else fails as theres no password to use for the authentication modules.
so, if you want to deal with this, you either need to handle that prefix OR you need to strip it - by either defining it in proxy.conf or enabling the ntdomain module which will deal with it. the domain is coming from your windows client...ist the sort of things they do (alternatively, configure the windows client to NOT log in using windows username/password(!) )
but I'll stop you at this point.... you appear to be going down the route of trying to use AD with PEAP - using the LDAP module.... and I'm afraid you wont get much further. you need to use the mschap module with ntlm_auth to do the required authentication, AUTHORISATION is okay with LDAP using MS AD but authentication = no.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html