Franks Andy (RLZ) IT Systems Engineer wrote:
... It worked brilliantly in testing, but come production, when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate,
That's bad. 10-15 clients should be done in a second or so. My guess is that the ntlm_auth process is taking a *long* time. Maybe your DNS settings are broken. Set up a test server. Run it in debugging mode and see. If the authentication takes more than a second or so (wtih debug messages), something is wrong.
- Synch the content of the AD OU I have the mac address "users" in to an SQL database, maybe using vbscript/.net, including any state information like whether the account is disabled or expired and test against these custom fields during authentication.
That will work for MS-CHAP. Not for CHAP.
The authorisation process I currently have running against ldap doesn't pick up the account information being expired, maybe I need to look into this. I want to be able ideally to feed information back following a successful authentication to a custom attribute in AD, which is quite possible with an SQL database as an "intermediary", for example switch and port ID, useful stuff to know. I can't think of any native linux apps that can change AD attributes, excluding samba doing groups and passwords, maybe there is one?
A normal LDAP client should work.
- Use ldap as an authentication method? I know that AD will never give me back a password, but since this is mac authentication I was wondering if in the authorisation bit of the virtual server I could update the cleartext-password attribute based on the username as the two details are always identical in mac based auth, and then perform authentication with a known password. Maybe this would pick up locked usernames instead, again not sure about MS ldap in this area, never tried.
If it's MAC authentication, then FreeRADIUS can do the CHAP checking itself. And there's no point in doing *more* authentication. The only reasonable thing to do is various checks in LDAP for the MAC address.
- use nps as a proxy for the authentication. I don't really want to do this, but nps will (I think) allow chap / AD authentication.
No, it won't. It's impossible.
Any ideas which of these / other would be the right direction to follow? Need to do this in a hurry as the next switch is rolling out soon so don't have time to look into all of them..
Step 1: find out what's wrong with the current system. If something is broken, fix it. Don't work around the problem. That makes it worse. Alan DeKok.