've actually installed freeradius n 've been successful 2 authenticate from same system using radtest. Sql integration 2 is successfully working. I wanna use EAP to connect to another system. On 4/26/11, freeradius-users-request@lists.freeradius.org <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Authenticating against Win2k8r2 without ntlm_auth (schilling) 2. Re: Authenticating against Win2k8r2 without ntlm_auth (Thomas Smith) 3. Re: Authenticating against Win2k8r2 without ntlm_auth (Phil Mayers) 4. Re: Authenticating against Win2k8r2 without ntlm_auth (Phil Mayers) 5. (arpitha arpitha) 6. Re: (Suman Dash) 7. Problem with EAP-TLS authentication in Freeradius (senthil kumar)
----------------------------------------------------------------------
Message: 1 Date: Mon, 25 Apr 2011 09:44:33 -0400 From: schilling <schilling2006@gmail.com> Subject: Re: Authenticating against Win2k8r2 without ntlm_auth To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <BANLkTik2ML94FHiB_0HGtTvC=CAyv-szZw@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Could we extend the AD schema with another accessible ntPassword hash, and thus use LDAP against AD for PEAP/MSCHAP?
Schilling
On Sun, Apr 24, 2011 at 4:33 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 04/24/2011 12:48 AM, Thomas Smith wrote:
While Samba 3.5 and Likewise 6 fixed the problems authenticating against Win2k8r2, Likewise removed support for Samba/Winbind in their 6.x series product (they included full support for Samba/Winbind in their 5.x series product)--they now use their own libraries to provide "winbind" functionality. The result of this is that the Samba-included ntlm_auth no longer works (and Likewise doesn't provide a comparable replacement)--since my FreeRADIUS install was using ntlm_auth for AD authentication and authorization, it is no longer working.
If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in which case you have precisely one option - continuing to use Samba/ntlm_auth.
Neither kerberos nor LDAP against AD (nor any other method) can be used to process MSCHAP authentications.
If Likewise are going to replace bits of the Samba stack, they should provide compatible bits. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 2 Date: Mon, 25 Apr 2011 11:33:56 -0700 From: Thomas Smith <theitsmith@gmail.com> Subject: Re: Authenticating against Win2k8r2 without ntlm_auth To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <BANLkTimfyMS_qobO1bxE4Q8xgKDz0zA6yQ@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
On Sun, Apr 24, 2011 at 1:33 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 04/24/2011 12:48 AM, Thomas Smith wrote:
While Samba 3.5 and Likewise 6 fixed the problems authenticating against Win2k8r2, Likewise removed support for Samba/Winbind in their 6.x series product (they included full support for Samba/Winbind in their 5.x series product)--they now use their own libraries to provide "winbind" functionality. The result of this is that the Samba-included ntlm_auth no longer works (and Likewise doesn't provide a comparable replacement)--since my FreeRADIUS install was using ntlm_auth for AD authentication and authorization, it is no longer working.
If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in which case you have precisely one option - continuing to use Samba/ntlm_auth.
Neither kerberos nor LDAP against AD (nor any other method) can be used to process MSCHAP authentications.
If Likewise are going to replace bits of the Samba stack, they should provide compatible bits.
Yeah, that's exactly what I've been doing. I was hoping to find another method, but that doesn't sound promising.
I brought this to Likewise' attention as soon as I noticed the issue. They are looking into it but haven't given me a time frame for a "fix", or even if there will provide one.
------------------------------
Message: 3 Date: Mon, 25 Apr 2011 21:30:14 +0100 From: Phil Mayers <p.mayers@imperial.ac.uk> Subject: Re: Authenticating against Win2k8r2 without ntlm_auth To: freeradius-users@lists.freeradius.org Message-ID: <4DB5D9D6.7060706@imperial.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 04/25/2011 02:44 PM, schilling wrote:
Could we extend the AD schema with another accessible ntPassword hash, and thus use LDAP against AD for PEAP/MSCHAP?
Yes, if you know everyones plaintext password. But if you do, you don't have this problem at all; you can just store Cleartext-Password in some secured SQL database and use that.
In short: it's usually impractical.
------------------------------
Message: 4 Date: Mon, 25 Apr 2011 21:39:10 +0100 From: Phil Mayers <p.mayers@imperial.ac.uk> Subject: Re: Authenticating against Win2k8r2 without ntlm_auth To: freeradius-users@lists.freeradius.org Message-ID: <4DB5DBEE.4040606@imperial.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 04/25/2011 07:33 PM, Thomas Smith wrote:
I brought this to Likewise' attention as soon as I noticed the issue. They are looking into it but haven't given me a time frame for a "fix", or even if there will provide one.
I'm not familiar with Likewise (nor do I have any desire to become so). But if they provide any development libraries or infrastructure, you may be able to implement the feature yourself.
All "ntlm_auth" ends up doing is SamNetworkLogon RPC against the netlogon pipe of a domain controller. Minimally, they just need to provide you a binary (or you code one up) that calls that RPC using the challenge and ntresponse values (along with username/domain) and returns the NT key value.
The other alternative would be to compile Samba into a separate directory tree, and configure it carefully - then join it to the domain as a separate "virtual" domain member, which is only used for running winbind and ntlm_auth. You might have problems with nmbd and binding to port 13x.
But honestly: it would probably be easier to just run Samba on your FreeRadius servers, and forgo Likewise.
------------------------------
Message: 5 Date: Tue, 26 Apr 2011 10:16:22 +0530 From: arpitha arpitha <arpithaarp@gmail.com> To: freeradius-users@lists.freeradius.org Message-ID: <BANLkTikd7_UuLhduJUhcRacJf43+coJThw@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
hi, 'm very new to freeradius, i want to setup radius server to authenticate another system connected through an access point. i'l b grateful if any1 can tell d steps 2 do this r give links 2 d related materials. Thnks in advance :-)
------------------------------
Message: 6 Date: Tue, 26 Apr 2011 10:40:31 +0530 From: Suman Dash <suman@clydontech.com> Subject: Re: To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4DB653C7.3080203@clydontech.com> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Please read the documentation on how to setup freeradius. From your post it is unclear as what type of auth you need. There are official docs at freeradius.org which you might want to see.
On 4/26/2011 10:16 AM, arpitha arpitha wrote:
hi, 'm very new to freeradius, i want to setup radius server to authenticate another system connected through an access point. i'l b grateful if any1 can tell d steps 2 do this r give links 2 d related materials. Thnks in advance :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Information from ESET NOD32 Antivirus, version of virus signature database 6042 (20110414) __________
The message was checked by ESET NOD32 Antivirus.