On 04/18/2011 08:39 PM, East, Bill wrote:
Like the man says, other people are doing it so I know it's not impossible. What seems to be happening from reading the debug is that domain/user requests are coming in using EAP, doing the TLS interchange, then using MSCHAPv2 to verify the credentials. The host requests, on the other hand, do the TLS side but never seem to progress to the mschap portion. I've gone mildly crosseyed reading the debugs but I don't see where it is that I've gone wrong. I'm very new to RADIUS but I've been doing Linux and Windows for a while so I know that this *should* work.
Have you made sure that your root cert is present in the right stores - remember windows clients have both machine and per-user cert stores. Machine auth requires it be in the machine store.
The configuration is: AD 2008 with a Slackware Linux server running the lastest Samba and Kerberos as well as obviously FR. The client is a Windows XP box with the latest service pack. Below is a mildly sanitized copy of radiusd -X with both failed machine logins (LP-0010 is the host) and a successful user (myuser) login.
Couple of points: the debug is actually quite mangled. The indenting has all gone away, making it really hard to follow, and you've chopped the top off where FreeRADIUS starts and prints out the config, meaning some vital info is absent. Also, it only looks sanitised; much of the data you *think* you've removed is actually contained again inside the hex of the EAP-Message packets, so it's basically pointless. If you don't want to reveal sensitive data, create a test user. So given the mangling this is a guess, but as Alan says you're apparently manglnig the usernames, which will definitely break things; but to my eye, it looks like it's failing earlier than that, as the the certificate exchange bit, implying the issue I note above. On the subject of mangling usernames - if you want to deal with all 3 of: domain\user user host/name.domain.com ...you can use the following: %{mschap:User-Name} ...and the mschap module will strip them all into the right form. Specifically, when you configure your ntlm_auth helper line in raddb/modules/mschap, I recommend it read: ntlm_auth = "... --username=%{mschap:User-Name} ..." HTH