Beating a dead horse, or freeradius 2.1.1 and active directory

Rupert Finnigan rupert.finnigan at googlemail.com
Wed Dec 3 23:04:20 CET 2008


Hi,

I'm not sure if what you're doing is going to work.. You're trying to use
MS-CHAP to handle terminal session logins, I think.. Most of the MS-CHAP
advise given so far is to get EAP working from a client, say a XP laptop
doing 802.1X to gain access to a switchport.

Someone will definitely correct me if I'm wrong, but I thought you could
only do PAP (or CHAP???) for Authentication to a Terminal line. In which
case, you either have to use the plain old users file, use a database such
as mysql, or (probably a better solution) use the LDAP module to bind to the
AD with the supplied username and password, and allow access if successful.

Like I say - I'm really unsure on this one, but as no-ones replied for a
while I though it might help...

Thanks,

Rupes

2008/12/3 Ben Little <BLittle at skylight.com>

>
> PAP is working:
>
> ++[pap] returns updated
> Found Auth-Type = PAP
> +- entering group PAP {...}
> [pap] login attempt with password "secretz"
> [pap] Using clear text password "secretz"
> [pap] User authenticated successfully
> ++[pap] returns ok
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 21 to *.*.*.* port 1645
>        Cisco-AVPair = "shell:priv-lvl=15"
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 21 with timestamp +431
> Ready to process requests.
>
> For some reason though, even when configured to do so, the authentication
> attempt coming from a switch or router is not being forwarded to the KDC.  I
> have followed that how-to now to the letter and Active Directory is not
> working, however active directory and krb are both working fine on the
> server;
>
> [wbinfo -a test%test output]
> plaintext password authentication failed
> Could not authenticate user test%test with plaintext password
> challenge/response password authentication succeeded
>
> I'm not sure what I am missing here? Why isn't the login attempt on the
> switch being forwarded to active directory?  Is there something within the
> switch that meeds to be set? A radius attribute maybe to identify the login
> attempt as mschap?
>
> >
> > Howto will show you how to set up and test with pap first:
> >
>
>  -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081203/a7ddf63e/attachment.html>


More information about the Freeradius-Users mailing list