FR + AD host/ machine/ workstation authentication

Jacob Jarick mem.namefix at gmail.com
Fri Jul 6 10:35:06 CEST 2007


config on client follows exactly what the howto reccomends with the 1
change of checking "authenticate as computer when computer information
is available". Which as you can see does attempt to auth.

The cert options are set as in this picture:
http://wiki.freeradius.org/Image:100000000000017F000001D2C7856F9F.png

I just reread this section here on the howto "Certificate validation
is strongly recommended for wireless configurations, and optional for
wired deployments.

Select « Validate server certificate » and check ONLY the CA for your
FreeRADIUS server (the one you installed above). Also select « Connect
to these servers » and enter the Common Name of the server
certificate.

If you are configuring a wired ethernet interface, you can leave
certificate verification off in your supplicants: just deselect «
Validate server certificate ».

Either way, select « EAP-MSCHAP v2 » as authentication method. Click
the « Configure » button next."

So I will enable cert validation retry and post back.

Cheers for the info /tip :)

On 7/6/07, A.L.M.Buxey at lboro.ac.uk <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
> > This url here looks like what I need
> > http://support.novell.com/docs/Tids/Solutions/10100693.html but their
> > instructions are pretty lousy "For machine-based authentication or
> > user based authentication, modify the RADIUSD.CONF file by adding the
> > following lines:" doesnt say where or what section to add said lines
> > to and we all know how touchy the radiusd.conf file is.
>
> those parts can go pretty much anywhere in the main config file - eg
> stick them at the end of the file.
>
> from what I can see of the log the NTLM is working fine - the NTKEY
> reply matched and its all okay. which leaves me to assume that a
> config on the client isnt correct - is the machine configured to validate
> the RADIUS server and does it have the correct 'tick' for the certificate
> and host name for the server to validate?
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list