On 20/10/10 12:22, Chidanand Gangur wrote:
Hi,
I have following setup
where windows host is connected to Cisco 2960 which is connected to Microsoft AD via RADIUS proxy
Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) -> Microsoft AD (2003)
In the above setup user authentication goes fine. I am using PEAP v1 authentication.
I am struggling hard to make host authentication successful.
When the machine boots I see radius Access-Request with User-Name = "host/radhost1.testad1.com" which qualifies to IPASS type realm and searches for realm as "host" and things do not work.
No - it's not an IPASS realm. You need to disable the IPASS module. host/machine.domain.com corresponds to: DOMAIN\machine$ i.e. the machine account. The "mschap" module can expand this, for example if you have the "ntlm_auth" helper to authenticate MS-CHAP against a windows domain using samba as a helper: ntlm_auth = "... --username=%{mschap:User-Name} ..." ...will do the right thing.
Please point me to links/docs or give me pointer where/how to start.
Post the full debug output, not an edited version.
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5 Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
This is EAP-MD5. You have not configured your windows client correctly. Configure it correctly for PEAP/MS-CHAP.