EAP problem

[Graham, Robert]

Hello list,

I have freeradius configured to authenicate users against active directory with ms-chap and can also do ldap group searches, all that is working great.  Now what I need to do is implement 802.1x port authenication on our foundry switches and I'm running into problems. This is our layout:


W2K Pro (using MD5-Challenge) -----> Foundry Switch -------> Freeradius --------> AD

I have read a lot of articles/post on the web and looked over the docs (I don't know how many times)  and I think I'm more confused than ever.  So the first question is:

Is this setup even possible?

I did get EAP to work when I supply the User-Password attribute in the users file, but I would like LDAP to fetch this if it is possible.  I came across a post suggesting this, but the answer was not very clear.  If I remove the User-Password attribute in the users file, the dubug out shows:  User-Password is required for EAP-MD5 authenitication.

Another question I would like to ask is:  When you configure the workstation (supplicant) for MD5-Challenge, it prompts you for:

Username
Password
Domain

If you supply all three values, the debug shows:

Identity does not match user-name

But if you leave the domain field blank, it works (providing that User-Password attribute is in the user file).

I hope these questions make sense and hopefully someone out there can help.

-Robert Graham


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050629/7aff01af/attachment.html>