Need help with 802.1X authentication to Active Directory
tnt at kalik.co.yu
tnt at kalik.co.yu
Thu Jun 21 00:22:47 CEST 2007
You don't need users file if all user/pass information is stored in AD.
Can you check if imported certificate is in "Trusted Root" and not
some other certificate folder. I can't think of any other reason why
the conversation wouldn't start with your network configuration.
Ivan Kalik
Kalik Informatika ISP
Dana 20/6/2007, "Bryant Marsh" <bryantmarsh at cookielee.com> piše:
>
>Hi Ivan,
>
>There are Event log errors in Application and System.
>
>Event ID 1053 - Windows cannot determine the user or computer name. ().
>Group Policy processing aborted. Or error: "The specified user does not
>exist."
>
>Event ID 5719 - The system cannot log you on now because the domain "name"
>is not available."
>
>This would be expected because port security is preventing traffic. Since
>DOT1X is enabled on the Cisco switch port for the server, I need to
>authenticate against the RADIUS server which is sending credentials to my AD
>domain controller.
>Both the server and the radius server are on the same switch, so there are
>no firewall issues. The switch is an access switch uplinked to the core
>switch where the DC is located. All servers are in the same VLAN.
>
>I cannot decipher the meaning of the debug negotiations that are happening,
>but it looks like to me that there is some kind of default in the users file
>for 255.255.255.254 that is not the IP address of the server in question.
>Again, my question is if I need a USERS files, because I was reading that
>this file is not required for AD.
>
>Here is my USERS file.
>
>http://www.nabble.com/file/p11222403/users users
>
>Thanks,
>Bryant.
>
>
>
>
>tnt wrote:
>>
>> OK. What does the Event Viewer on Win2K3 client say about failed login
>> attempts. Has it recieved Access-Challenge packet? There might be a
>> firewall problem.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 20/6/2007, "Bryant Marsh" <bryantmarsh at cookielee.com> piĹĄe:
>>
>>>
>>>Hi Ivan,
>>>
>>>Sorry I forgot to mention that I did import the cert-clt.p12 and
>cacert.pem
>>>to the local machine certificate store.
>>>
>>>I was reading a document that was saying that the USERS file is not
>>>necessary for authenticating to Active Directory. Is that really true?
>>>
>>>Here are my config files.
>>>http://www.nabble.com/file/p11217074/clients.conf clients.conf
>>>http://www.nabble.com/file/p11217074/smb.conf smb.conf
>>>http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf
>>>http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf
>>>http://www.nabble.com/file/p11217074/eap.conf eap.conf
>>>http://www.nabble.com/file/p11217074/hosts hosts
>>>
>>>Thanks,
>>>Bryant.
>>>
>>>
>>>Yes. Certificates created with xpextensions will work with Win2K3 clients
>>>as well. But you need to import CA certificate to the trusted
>>>certificate store on Windows clients (XP and 2K3; Win 2K can't be used).
>>>
>>>Ivan Kalik
>>>Kalik Informatika ISP
>>>
>>>--
>>>View this message in context:
>http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074
>>>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>>>
>>>-
>>>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>>>
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>--
>View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11222403
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list