How do I set up simple AD integration?
Burton, Steven
sburton at shepherd-construction.co.uk
Wed Apr 12 16:16:21 CEST 2006
> -----Original Message-----
> From:
> freeradius-users-bounces+sburton=shepherd-construction.co.uk at l
> ists.freer
> adius.org
> [mailto:freeradius-users-bounces+sburton=shepherd-construction
> .co.uk at lis
> ts.freeradius.org]On Behalf Of Josh Howlett
> Sent: 12 April 2006 11:48
> To: FreeRadius users mailing list
> Subject: Re: How do I set up simple AD integration?
>
>
> Burton, Steven wrote:
> >
> >> -----Original Message-----
> >> From:
> >> freeradius-users-bounces+sburton=shepherd-construction.co.uk at l
> >> ists.freer
> >> adius.org
> >> [mailto:freeradius-users-bounces+sburton=shepherd-construction
> >> .co.uk at lis
> >> ts.freeradius.org]On Behalf Of Alan DeKok
> >> Sent: 11 April 2006 16:28
> >> To: FreeRadius users mailing list
> >> Subject: Re: How do I set up simple AD integration?
> >>
> >>
> >> "Burton, Steven" <sburton at shepherd-construction.co.uk> wrote:
> >>> This stanza is a enclosed with the mschap section, still
> >> nothing ventured....
> >>> I changed the line and unfolded it and ran radiusd -X. The first
> >>> request didn't match anything usefull and was rejected by
> System. I
> >>> tried again but ticked the box 'CHAP' on NTRadPing and got the
> >>> output:
> >> You can't do CHAP to MS AD. It's impossible.
> >>
> >> Alan DeKok.
> >
> > My bad! I'd been staring at mschap all day and I saw chap
> and thought mschap.
> > I still hope to get 802.1x working with FR before I'm told
> to stop wasting time and buy something :-) but after two and
> a half days (on and off) I'm no closer.
>
> Steve,
>
> I strongly suggest you start off doing PEAP against the 'users' file,
> and once that's working get the domain stuff working.
>
> It sounds to me like you're trying to do too much at once,
> and too many
> things are broken for you to know where to start!
>
> Once you've got PEAP working against the 'users' file, create
> a machine
> account in the AD for the RADIUS server (using the Samba
> tools) and then
> use the ntlm_auth program (that comes with Samba) to test standard
> authentication.
>
> Once you've got that far, it's just a matter of configuring
> FreeRADIUS
> to use ntlm_auth. But you can worry about that later :-)
>
> This isn't difficult, it's largely a matter of making sure you do the
> right steps in the right order...
>
> best regards, josh.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Well, IT'S WORKING!! Thank you all for your help, advice and support.
Alas, I didn't backup the files last night so I'm not sure exactly what I did to make it work but I can now see it authenticating and then the connection is made. I have set it to put user names in the log and I hope to have it write accounting logs soon.
More worryingly, I'm seeing this error message in radiusd.log:
Wed Apr 12 13:20:48 2006 : Info: rlm_exec: Wait=yes but no output defined. Did y
ou mean output=none?
Wed Apr 12 13:20:48 2006 : Info: rlm_eap_tls: Loading the certificate file as a
chain
Wed Apr 12 13:20:48 2006 : Info: Ready to process requests.
Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert
ificate A
Wed Apr 12 13:21:06 2006 : Info: rlm_eap_mschapv2: Issuing Challenge
Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost
port 0)
Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5
0.45 port 26 cli 0012f0311af1)
Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert
ificate A
Wed Apr 12 13:21:07 2006 : Info: rlm_eap_mschapv2: Issuing Challenge
Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost
port 0)
Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5
0.45 port 26 cli 0012f0311af1)
AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms?
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
More information about the Freeradius-Users
mailing list