On 11 June 2017 10:41:27 BST, "Paweł Grzęda" <pawel.grzeda@kamieniarstwo.pl> wrote:
I'm trying to prepare a solution which will provide authentication for PC/laptop's in corporate network. I need this for Cisco switches and Ubiquiti APs/controller.
So you will be doing EAP. Have you decided what EAP methods you want to use?
There is Samba4 configured as domain controller which is central authentication point. I installed Freeradius 3.0.14 on Fedora 25.
OK
I red all the man pages and documentation stored in configuration files and to be honest it's huge amount of information which is not clear for a newbie.
I understand. It's a big learning curve to start with.
I also used tutorial which seems to be third-party, however link was on official freeradius wiki I think.
Well, anyone can edit the wiki, so being there doesn't make anything official. That describes LDAP against AD, which isn't a great experience. You're basically limited to EAP-TTLS/PAP, as AD won't give you the password hash.
I use start_tls to securely bind to LDAP (which is Samba4 AD DC) and the binding works, however I still can't get Access-Accept message. I think my problem is related to clear-text passwords (warning about no known good password), however I don't know how to fix it. Is it a way to configure this to be securely?
What devices are you connecting? If they are all joined to your Samba domain then presumably there is a domain certificate authority in use like real AD? In which case configure EAP-TLS with certificates and forget about LDAP. It'll be far more secure and faster to authenticate as well. Otherwise installing Samba on your FreeRADIUS server and using ntlm_auth type methods with MSCHAPv2 is probably the only real option. -- Matthew