Josh Hiner wrote:
Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5.
I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Upgrading will get you a lot.
I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent.
This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier.
Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd.
Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok.