Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend

john lists.john at gmail.com
Wed Apr 8 18:28:52 CEST 2009


>
> We run Debian, and we currently have our samba packages pinned at version
> 2:3.0.30-3 due to this issue:
>
> http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg00289.html
>
> See the Debain APT manual for information on package pinning.

Thanks Mike! I'll look into this a bit more although as you say I am
not quite having that issue (yet). :->
>
> That said, your debug output (if that was all of it) didn't seem to suggest
> you're running into this particular issue just yet. I say that because your
> EAP exchange never progresses to the point where ntlm_auth is executed by
> FreeRADIUS. Things seem to be hanging right after the outer TLS tunnel is
> established, which may point to a certificate problem. Are you sure your
> server certificate is OK?

I am not sure that it is, I am a noob. I built freeradius from the
current stable source, but I used apt to install openssl. My
understanding was that when I fired freeradius up for the first time
it would automatically populate /etc/freeradius/certs with all of the
files necessary to make a proper peap connection. Can you suggest a
way to test the cert?

Wireshark tells me that my 3Com 3226 switch is sending an eap reject
immediately after I connect the supplicant to a port protected with
.1x. I don't see any traffic between the switch and freeradius so I am
wondering if the switch doesn't support peap? Perhaps I should back
off and try md5 or something?

Also since I am throwing out the litany of my ignorance I haven't
solved in a good way a complaint that I get when I am testing via
'wbinfo -a username%password'. I've had to chmod 777
/var/run/samba/winbindd_privileged in order to use the socket, of
course restarting winbind resets the perms here. I saw something about
enabling extending acls's on the file  system to work around this
issue. I'd be interested to know what you ended up doing.

Thanks for the reply!

John

>
> Mike Loosbrock
> Bethel University Network Services
> 651-638-6723
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list