Okay, I've had a working config with the following for the past month. TTLS->LDAP PEAP->AD PEAP->Local Users File After a month running everything perfectly, 3 days ago the "PEAP-AD" portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a "Login incorrect" when you try to login via PEAP->AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434
Have you checked the certificate? That's one major difference. ntlm-auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users-bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS->LDAP PEAP->AD PEAP->Local Users File After a month running everything perfectly, 3 days ago the "PEAP-AD" portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a "Login incorrect" when you try to login via PEAP->AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434
Isn't the same certificate used in the TLS tunnel for TTLS? Anyhow, it appears to be something to do with the person who configed Samba. They clustered the servers and the privileges changes in /var/cache/samba/winbind_privileged. That directory has been one of the biggest problems we've had so far. Thanks, Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Danner, Mearl Sent: Friday, June 25, 2010 9:34 AM To: FreeRadius users mailing list Subject: RE: PEAP - AD Disabled
Have you checked the certificate? That's one major difference. ntlm- auth is the auth after the cert conversation in PEAP is done.
Maybe a radiusd -X log to help us along?
From: freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled
Okay,
I've had a working config with the following for the past month.
TTLS->LDAP PEAP->AD PEAP->Local Users File
After a month running everything perfectly, 3 days ago the "PEAP-AD" portion of the AAA failed. This is for wireless auth.
Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a "Login incorrect" when you try to login via PEAP->AD. Everything else is verified as working.
Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius?
Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Isn't the same certificate used in the TLS tunnel for TTLS?
Anyhow, it appears to be something to do with the person who configed Samba. They clustered the servers and the privileges changes in /var/cache/samba/winbind_privileged. That directory has been one of the biggest problems we've had so far.
distro package updates will often blat such files - did the server recently get a SAMBA update? if so, then the post-install section changes the permissions of that link directory. everyone in our team here is aware of that - our patch notificaton system has big warning notices at the top of any update notifications so as to ensure that the yum/up2date/apt-get process doesnt just get done blindly. alan
On 25/06/10 14:21, Nathan McDavit-Van Fleet wrote:
Okay,
I’ve had a working config with the following for the past month.
TTLS->LDAP
PEAP->AD
PEAP->Local Users File
After a month running everything perfectly, 3 days ago the “PEAP-AD” portion of the AAA failed. This is for wireless auth.
Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven’t found any interesting log information. You just get a “Login incorrect” when you try to login via PEAP->AD. Everything else is verified as working.
Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius?
Permissions? Including unix perms on the winbind socket, and perhaps SELinux labelling.
participants (4)
-
Alan Buxey -
Danner, Mearl -
Nathan McDavit-Van Fleet -
Phil Mayers