Request for directions: WinXP + Samba + LDAP + 802.1x

Fabiano Caixeta Duarte fcd.listas at gmail.com
Fri Dec 11 19:32:02 CET 2009


2009/12/11 nf-vale <nf-vale at critical-links.com>:
> On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote:
>> Maybe I didn't make myself clear.
>>
>> I don't have AD and don't wanna. I did set clients to use 802.1x
>>
>> Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it
>> would depend on what you'd answer about my first question.
>
> Set XP clients to use 802.1x PEAP and don't forget to add your nas client
> (switch) to the clients.conf file in radius.
>
> You should provide some more info about your current configuration (freeradius
> version, files modified by you, etc) and at least  some debug (radiusd -X) from
> a client authentication request for people to understand were have you get so
> far.

Ok. Let's follow that path.

The confs I touched:

eap.conf:
        eap {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 2048
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_password = whatever
                        private_key_file = ${certdir}/server.pem
                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random
                        cipher_list = "DEFAULT"
                        make_cert_command = "${certdir}/bootstrap"
                        cache {
                              enable = no
                              max_entries = 255
                        }
                }
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                mschapv2 {
                }
        }

modules/ldap:
ldap {
        server = "sti-teste.domain.br"
        identity = "cn=system,dc=domain,dc=br"
        password = secret
        basedn = "ou=Users,dc=domain,dc=br"
        base_filter = "(objectclass=radiusprofile)"
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
        tls {
                start_tls = no
        }
        access_attr = "radiusFilterId"
        dictionary_mapping = ${confdir}/ldap.attrmap
        authtype = ldap
        edir_account_policy_check = no
}

sites-enabled/inner-tunnel:
server inner-tunnel {
authorize {
        chap
        mschap
        unix
        suffix
        update control {
               Proxy-To-Realm := LOCAL
        }
        eap {
                ok = return
        }
        files
        ldap
        expiration
        logintime
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        Auth-Type LDAP {
                ldap
        }
        eap
}
session {
        radutmp
}
post-auth {
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}
pre-proxy {
}
post-proxy {
        eap
}

clients.conf:
client angelina {
        ipaddr = 192.168.205.6
        secret = testing123
}
client tplink {
        ipaddr = 192.168.205.29
        secret = testing123
}

# radtest teste secret angelina 1812 testing123
Sending Access-Request of id 48 to 192.168.205.6 port 1812
        User-Name = "teste"
        User-Password = "secret"
        NAS-IP-Address = 192.168.205.6
        NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.205.6 port 1812,
id=48, length=64
        Filter-Id = "Enterasys:version=1:policy=Enterprise User"



-- 
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP




More information about the Freeradius-Users mailing list