FR + AD host/ machine/ workstation authentication
Jacob Jarick
mem.namefix at gmail.com
Fri Jul 6 10:35:06 CEST 2007
config on client follows exactly what the howto reccomends with the 1
change of checking "authenticate as computer when computer information
is available". Which as you can see does attempt to auth.
The cert options are set as in this picture:
http://wiki.freeradius.org/Image:100000000000017F000001D2C7856F9F.png
I just reread this section here on the howto "Certificate validation
is strongly recommended for wireless configurations, and optional for
wired deployments.
Select « Validate server certificate » and check ONLY the CA for your
FreeRADIUS server (the one you installed above). Also select « Connect
to these servers » and enter the Common Name of the server
certificate.
If you are configuring a wired ethernet interface, you can leave
certificate verification off in your supplicants: just deselect «
Validate server certificate ».
Either way, select « EAP-MSCHAP v2 » as authentication method. Click
the « Configure » button next."
So I will enable cert validation retry and post back.
Cheers for the info /tip :)
On 7/6/07, A.L.M.Buxey at lboro.ac.uk <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
> > This url here looks like what I need
> > http://support.novell.com/docs/Tids/Solutions/10100693.html but their
> > instructions are pretty lousy "For machine-based authentication or
> > user based authentication, modify the RADIUSD.CONF file by adding the
> > following lines:" doesnt say where or what section to add said lines
> > to and we all know how touchy the radiusd.conf file is.
>
> those parts can go pretty much anywhere in the main config file - eg
> stick them at the end of the file.
>
> from what I can see of the log the NTLM is working fine - the NTKEY
> reply matched and its all okay. which leaves me to assume that a
> config on the client isnt correct - is the machine configured to validate
> the RADIUS server and does it have the correct 'tick' for the certificate
> and host name for the server to validate?
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list