This is our setup: we put a FreeRadius version 2.1.10 on Ubuntu in front of the Cisco ACS 5 and we need the FreeRadius to strip the suffix starting from @ and just pass the username to ACS 5 for authentication(with AD). We use PEAP MS-CHAPv2. It did not work. ACS5 still sees the whole username(i.e, dxu@uoguelph.ca) with the suffix. I added the following to the proxy.conf file: realm uoguelph.ca { type = radius authhost = acs5-test2.uoguelph.ca:1812 accthost = acs5-test2.uoguelph.ca:1813 secret = testing123 } I added followings to the radiusd.conf file: realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } authorize { preprocess mschap suffix eap files } authenticate { Auth-Type MS-CHAP { mschap } eap } mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } Did I miss anything? Does FreeRadius strip the realm for both inner and outer IDs for peap authentication? Thank you for your help! --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 dxu@uoguelph.ca www.uoguelph.ca/ccs
On Sep 9, 2015, at 9:48 AM, Dennis Xu <dxu@uoguelph.ca> wrote:
This is our setup: we put a FreeRadius version 2.1.10 on Ubuntu in front of the Cisco ACS 5 and we need the FreeRadius to strip the suffix starting from @ and just pass the username to ACS 5 for authentication(with AD). We use PEAP MS-CHAPv2.
It will not work.
It did not work.
See?
ACS5 still sees the whole username(i.e, dxu@uoguelph.ca) with the suffix.
I added the following to the proxy.conf file: realm uoguelph.ca { type = radius authhost = acs5-test2.uoguelph.ca:1812 accthost = acs5-test2.uoguelph.ca:1813 secret = testing123 }
You didn't tell it to strip the User-Name. Even if you had done that, you probably would discover that there are other issues preventing it from working. Playing games with EAP identifiers is a losing proposition.
Did I miss anything?
Debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list?
Does FreeRadius strip the realm for both inner and outer IDs for peap authentication?
If you tell it to. And doing so will break EAP. So... WHY do you need to do this? Why not just use FreeRADIUS and Samba to talk to Active Directory? Or, configure ACS so that it does it's job correctly. It should be able to strip the realms itself. If it can't, throw it in the garbage and use FreeRADIUS. Alan DeKok.
I didn't tell it to strip the realm, but I understand the default behavior is to strip the realm unless you put "nostrip"? I had issue to use FreeRadius to authenticate to AD directly because our AD's password format is not clear-text or NT Hash. I just noticed with version 3.0, FreeRadius can use Samba to bind to Active Directory. So I think it should not care the password format in AD? Unfortunately Cisco ACS5 cannot strip realm for AD authentication. Cisco ISE can do. Thank you! --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 dxu@uoguelph.ca www.uoguelph.ca/ccs ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: dxu@uoguelph.ca, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 9, 2015 10:01:59 AM Subject: Re: Realm Strip On Sep 9, 2015, at 9:48 AM, Dennis Xu <dxu@uoguelph.ca> wrote:
This is our setup: we put a FreeRadius version 2.1.10 on Ubuntu in front of the Cisco ACS 5 and we need the FreeRadius to strip the suffix starting from @ and just pass the username to ACS 5 for authentication(with AD). We use PEAP MS-CHAPv2.
It will not work.
It did not work.
See?
ACS5 still sees the whole username(i.e, dxu@uoguelph.ca) with the suffix.
I added the following to the proxy.conf file: realm uoguelph.ca { type = radius authhost = acs5-test2.uoguelph.ca:1812 accthost = acs5-test2.uoguelph.ca:1813 secret = testing123 }
You didn't tell it to strip the User-Name. Even if you had done that, you probably would discover that there are other issues preventing it from working. Playing games with EAP identifiers is a losing proposition.
Did I miss anything?
Debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list?
Does FreeRadius strip the realm for both inner and outer IDs for peap authentication?
If you tell it to. And doing so will break EAP. So... WHY do you need to do this? Why not just use FreeRADIUS and Samba to talk to Active Directory? Or, configure ACS so that it does it's job correctly. It should be able to strip the realms itself. If it can't, throw it in the garbage and use FreeRADIUS. Alan DeKok.
participants (2)
-
Alan DeKok -
Dennis Xu