Windows XP hangs forever during PEAP auth on freeradius withwinbind/AD backend
Mike Loosbrock
m-loosbrock at bethel.edu
Wed Apr 8 21:04:49 CEST 2009
On Apr 8, 2009, at 11:28 AM, john wrote:
> Can you suggest a way to test the cert?
Well, you can use the openssl utility to see what your server
certificate contains:
$ openssl x509 -text -in <server-cert-file>
> Wireshark tells me that my 3Com 3226 switch is sending an eap reject
> immediately after I connect the supplicant to a port protected with
> .1x. I don't see any traffic between the switch and freeradius so I am
> wondering if the switch doesn't support peap? Perhaps I should back
> off and try md5 or something?
Your switch doesn't *need* to support any particular EAP type because
the EAP exchange is actually between the supplicant and RADIUS. Your
switch just passes the messages back and forth between the two. If you
see your switch doing EAP with the supplicant (i.e. EAP is happening,
but you don't see it at the RADIUS server), your switch may be doing
what some vendors call 'EAP off-loading'. In other words, the switch
is handling EAP to get at the credentials it eventually authenticates
against RADIUS. But I don't know if 3Com switches do this, and if they
do, it's probably not default.
> Also since I am throwing out the litany of my ignorance I haven't
> solved in a good way a complaint that I get when I am testing via
> 'wbinfo -a username%password'. I've had to chmod 777
> /var/run/samba/winbindd_privileged in order to use the socket, of
> course restarting winbind resets the perms here. I saw something about
> enabling extending acls's on the file system to work around this
> issue. I'd be interested to know what you ended up doing.
Just add the freerad user to the winbindd_priv group.
Mike Loosbrock
Bethel University Network Services
651-638-6723
More information about the Freeradius-Users
mailing list