Beating a dead horse, or freeradius 2.1.1 and active directory

Rupert Finnigan rupert.finnigan at googlemail.com
Thu Dec 4 00:03:18 CET 2008


Following on from this, I've just had a read of my radiusd.conf file. I'd
start by having a look at the ldap module, specifically around the:

                #  By default, if the packet contains a User-Password,
                #  and no other module is configured to handle the
                #  authentication, the LDAP module sets itself to do
                #  LDAP bind for authentication.
                #
                #  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
bit.. This might provide the answer you're looking for.

Rupes

2008/12/3 Rupert Finnigan <rupert.finnigan at googlemail.com>

>
> Well, yes - it does proxy them fine.. But is the request from the switch a
> MS-CHAP one? I don't think it is..
>
> The switch will be sending a PAP request, not a MS-CHAP one, and so you'll
> need to configure FreeRADIUS to take the PAP request and auth that against
> AD. As the switch isn't sending a MS-CHAP request then FreeRADIUS can't
> process it as such, and so MS-CHAP module returns noop. Unfortunately, I'm
> not clued up enough on FreeRADIUS to help you with this config, but in
> essence this is what I think you need to do to achieve your goal.
>   2008/12/3 Ben Little <BLittle at skylight.com>
>
>>  yeah I'm trying to authenticate and authorize administrative tty session
>> to the cisco equipment itself, not 802.1x for clients on the network.  If
>> it's not possible I guess it's not possible.  It does kind of make me wonder
>> how the Cisco ACS works though because that 'proxies' radius or tacacs+
>> authen and author requests to active directory quite nicely.
>>
>>  ------------------------------
>>
>>  *From:* freeradius-users-bounces+blittle=skylight.com@
>> lists.freeradius.org [mailto:freeradius-users-bounces+blittle<freeradius-users-bounces%2Bblittle>
>> =skylight.com at lists.freeradius.org] *On Behalf Of *Rupert Finnigan
>> *Sent:* Wednesday, December 03, 2008 2:04 PM
>> *To:* FreeRadius users mailing list
>> *Subject:* Re: Beating a dead horse, or freeradius 2.1.1 and active
>> directory
>>
>>   Hi,
>>
>> I'm not sure if what you're doing is going to work.. You're trying to use
>> MS-CHAP to handle terminal session logins, I think.. Most of the MS-CHAP
>> advise given so far is to get EAP working from a client, say a XP laptop
>> doing 802.1X to gain access to a switchport.
>>
>> Someone will definitely correct me if I'm wrong, but I thought you could
>> only do PAP (or CHAP???) for Authentication to a Terminal line. In which
>> case, you either have to use the plain old users file, use a database such
>> as mysql, or (probably a better solution) use the LDAP module to bind to the
>> AD with the supplied username and password, and allow access if successful.
>>
>> Like I say - I'm really unsure on this one, but as no-ones replied for a
>> while I though it might help...
>>
>> Thanks,
>>
>> Rupes
>>
>> 2008/12/3 Ben Little <BLittle at skylight.com>
>>
>>>
>>> PAP is working:
>>>
>>> ++[pap] returns updated
>>> Found Auth-Type = PAP
>>> +- entering group PAP {...}
>>> [pap] login attempt with password "secretz"
>>> [pap] Using clear text password "secretz"
>>> [pap] User authenticated successfully
>>> ++[pap] returns ok
>>> +- entering group post-auth {...}
>>> ++[exec] returns noop
>>> Sending Access-Accept of id 21 to *.*.*.* port 1645
>>>        Cisco-AVPair = "shell:priv-lvl=15"
>>> Finished request 1.
>>> Going to the next request
>>> Waking up in 4.9 seconds.
>>> Cleaning up request 1 ID 21 with timestamp +431
>>> Ready to process requests.
>>>
>>> For some reason though, even when configured to do so, the authentication
>>> attempt coming from a switch or router is not being forwarded to the KDC.  I
>>> have followed that how-to now to the letter and Active Directory is not
>>> working, however active directory and krb are both working fine on the
>>> server;
>>>
>>> [wbinfo -a test%test output]
>>> plaintext password authentication failed
>>> Could not authenticate user test%test with plaintext password
>>> challenge/response password authentication succeeded
>>>
>>> I'm not sure what I am missing here? Why isn't the login attempt on the
>>> switch being forwarded to active directory?  Is there something within the
>>> switch that meeds to be set? A radius attribute maybe to identify the login
>>> attempt as mschap?
>>>
>>> >
>>> > Howto will show you how to set up and test with pap first:
>>> >
>>>
>>>  -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081203/094f5030/attachment.html>


More information about the Freeradius-Users mailing list