Good afternoon, Sorry to bother you guys again! I am trying to authenticate Windows XP PCs (sp2) with their hostnames. It looks like PC will try to use its hostname (in format host/<computer_name.domainname>) to authenticate when no user is logged in. I configured the "users" file and also the post-auth section of "default" file to force accepting the request. In the debug it shows it does accept and send back the response. I also captured the packets in the wireshark. However the NAS (Cisco 3750 switch with newest firmware) doesn't take it and simply ignored it and send the request again. It repeated three times and eventually failed... Users file: host/neteng-sp1.gtcorp.com Auth-Type := Accept Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "3", Tunnel-Preference = 0x000000 Sites-available/default file: post-auth { ... if(request:User-Name == "host/neteng-sp1.gtcorp.com"){ update reply { Auth-Type := Accept Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-ID = 3 Tunnel-Preference = 0 } } ... } Actually it doesn't look like it's Freeradiusd's problem since it did send back the response. It's the NAS which doesn't process the reply... However does anybody know why? Did I miss any attributes? Anyway to work around this problem? Alan, I think you told me once that it's not easy to fool the NAS to accept all requests... Is this one of the case we are talking about?? Thank you and have a good weekend! Difan Zhao Network Engineer difan.zhao@guest-tek.com www.guest-tek.com <http://www.guest-tek.com/> Office: 403-509-1010 ext 3048 Cell: 403-689-7514 Guest-tek(tm) delivers broadband networking solutions to businesses serving mobile users. Our products provide fast and easy plug-and-play Internet access, IP Video-on-Demand, and Voice over IP to end users. Through our superior implementation and support services, our partners gain a sustainable competitive edge. With headquarters in Calgary and Irvine, Guest-tek(tm) has been serving hospitality and related industries since 1996. The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies.
On 04/16/2010 10:37 PM, Difan Zhao wrote:
Users file:
host/neteng-sp1.gtcorp.com Auth-Type := Accept
That won't work I think. The hosts are expecting to do EAP/PEAP+MS-CHAP (or EAP-TLS) and you'll need appropriate server-side auth mechanisms to issue the correct challenge/response values. That is, you need to setup auth against their machine account credentials or certificates.
Phil, thank you very much for reply! I think you are right. I just tried to change the authentication type to MD5 and then the laptop doesn't even try to authenticate with hostname anymore. It seems it has to use PEAP for this type of authentication. I will try setup NTLM and see if that works. Thanks again! Difan Zhao Network Engineer difan.zhao@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -----Original Message----- From: freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradi us.org] On Behalf Of Phil Mayers Sent: Sunday, April 18, 2010 3:54 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authenticate computers with their hostnames On 04/16/2010 10:37 PM, Difan Zhao wrote:
Users file:
host/neteng-sp1.gtcorp.com Auth-Type := Accept
That won't work I think. The hosts are expecting to do EAP/PEAP+MS-CHAP (or EAP-TLS) and you'll need appropriate server-side auth mechanisms to issue the correct challenge/response values. That is, you need to setup auth against their machine account credentials or certificates. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Difan Zhao -
Phil Mayers