Beating a dead horse, or freeradius 2.1.1 and active directory

Ben Little BLittle at skylight.com
Wed Dec 3 23:25:17 CET 2008 

yeah I'm trying to authenticate and authorize administrative tty session to the cisco equipment itself, not 802.1x for clients on the network.  If it's not possible I guess it's not possible.  It does kind of make me wonder how the Cisco ACS works though because that 'proxies' radius or tacacs+ authen and author requests to active directory quite nicely.


________________________________


	
	From: freeradius-users-bounces+blittle=skylight.com at lists.freeradius.org [mailto:freeradius-users-bounces+blittle=skylight.com at lists.freeradius.org] On Behalf Of Rupert Finnigan
	Sent: Wednesday, December 03, 2008 2:04 PM
	To: FreeRadius users mailing list
	Subject: Re: Beating a dead horse, or freeradius 2.1.1 and active directory
	
	
	Hi,
	 
	I'm not sure if what you're doing is going to work.. You're trying to use MS-CHAP to handle terminal session logins, I think.. Most of the MS-CHAP advise given so far is to get EAP working from a client, say a XP laptop doing 802.1X to gain access to a switchport.
	 
	Someone will definitely correct me if I'm wrong, but I thought you could only do PAP (or CHAP???) for Authentication to a Terminal line. In which case, you either have to use the plain old users file, use a database such as mysql, or (probably a better solution) use the LDAP module to bind to the AD with the supplied username and password, and allow access if successful.
	 
	Like I say - I'm really unsure on this one, but as no-ones replied for a while I though it might help...
	 
	Thanks,
	 
	Rupes
	
	
	2008/12/3 Ben Little <BLittle at skylight.com>
	


		PAP is working:
		
		++[pap] returns updated
		Found Auth-Type = PAP
		+- entering group PAP {...}
		[pap] login attempt with password "secretz"
		[pap] Using clear text password "secretz"
		[pap] User authenticated successfully
		++[pap] returns ok
		+- entering group post-auth {...}
		++[exec] returns noop
		Sending Access-Accept of id 21 to *.*.*.* port 1645
		       Cisco-AVPair = "shell:priv-lvl=15"
		Finished request 1.
		
		Going to the next request
		
		Waking up in 4.9 seconds.
		
		Cleaning up request 1 ID 21 with timestamp +431
		Ready to process requests.
		
		For some reason though, even when configured to do so, the authentication attempt coming from a switch or router is not being forwarded to the KDC.  I have followed that how-to now to the letter and Active Directory is not working, however active directory and krb are both working fine on the server;
		
		[wbinfo -a test%test output]
		plaintext password authentication failed
		Could not authenticate user test%test with plaintext password
		challenge/response password authentication succeeded
		
		I'm not sure what I am missing here? Why isn't the login attempt on the switch being forwarded to active directory?  Is there something within the switch that meeds to be set? A radius attribute maybe to identify the login attempt as mschap?
		

		>
		> Howto will show you how to set up and test with pap first:
		>
		
		
		-
		List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
		


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081203/ae7b1914/attachment.html>

More information about the Freeradius-Users mailing list