Request for directions: WinXP + Samba + LDAP + 802.1x

nf-vale nf-vale at critical-links.com
Fri Dec 11 19:46:11 CET 2009


On Friday 11 December 2009 18:32:02 Fabiano Caixeta Duarte wrote:
> 2009/12/11 nf-vale <nf-vale at critical-links.com>:
> > On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote:
> >> Maybe I didn't make myself clear.
> >>
> >> I don't have AD and don't wanna. I did set clients to use 802.1x
> >>
> >> Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it
> >> would depend on what you'd answer about my first question.
> >
> > Set XP clients to use 802.1x PEAP and don't forget to add your nas client
> > (switch) to the clients.conf file in radius.
> >
> > You should provide some more info about your current configuration
> > (freeradius version, files modified by you, etc) and at least  some debug
> > (radiusd -X) from a client authentication request for people to
> > understand were have you get so far.
> 
> Ok. Let's follow that path.
> 
> The confs I touched:
> 
> eap.conf:
>         eap {
>                 default_eap_type = peap
>                 timer_expire     = 60
>                 ignore_unknown_eap_types = no
>                 cisco_accounting_username_bug = no
>                 max_sessions = 2048
>                 md5 {
>                 }
>                 leap {
>                 }
>                 gtc {
>                         auth_type = PAP
>                 }
>                 tls {
>                         certdir = ${confdir}/certs
>                         cadir = ${confdir}/certs
>                         private_key_password = whatever
>                         private_key_file = ${certdir}/server.pem
>                         certificate_file = ${certdir}/server.pem
>                         CA_file = ${cadir}/ca.pem
>                         dh_file = ${certdir}/dh
>                         random_file = ${certdir}/random
>                         cipher_list = "DEFAULT"
>                         make_cert_command = "${certdir}/bootstrap"
>                         cache {
>                               enable = no
>                               max_entries = 255
>                         }
>                 }
>                 ttls {
>                         default_eap_type = md5
>                         copy_request_to_tunnel = no
>                         use_tunneled_reply = no
>                         virtual_server = "inner-tunnel"
>                 }
>                 peap {
>                         default_eap_type = mschapv2
>                         copy_request_to_tunnel = no
>                         use_tunneled_reply = no
>                         virtual_server = "inner-tunnel"
>                 }
>                 mschapv2 {
>                 }
>         }
> 
> modules/ldap:
> ldap {
>         server = "sti-teste.domain.br"
>         identity = "cn=system,dc=domain,dc=br"
>         password = secret
>         basedn = "ou=Users,dc=domain,dc=br"
>         base_filter = "(objectclass=radiusprofile)"
>         ldap_connections_number = 5
>         timeout = 4
>         timelimit = 3
>         net_timeout = 1
>         tls {
>                 start_tls = no
>         }
>         access_attr = "radiusFilterId"
>         dictionary_mapping = ${confdir}/ldap.attrmap
>         authtype = ldap
>         edir_account_policy_check = no
> }
> 
> sites-enabled/inner-tunnel:
> server inner-tunnel {
> authorize {
>         chap
>         mschap
>         unix
>         suffix
>         update control {
>                Proxy-To-Realm := LOCAL
>         }
>         eap {
>                 ok = return
>         }
>         files
>         ldap
>         expiration
>         logintime
>         pap
> }
> authenticate {
>         Auth-Type PAP {
>                 pap
>         }
>         Auth-Type CHAP {
>                 chap
>         }
>         Auth-Type MS-CHAP {
>                 mschap
>         }
>         unix
>         Auth-Type LDAP {
>                 ldap
>         }
>         eap
> }
> session {
>         radutmp
> }
> post-auth {
>         Post-Auth-Type REJECT {
>                 attr_filter.access_reject
>         }
> }
> pre-proxy {
> }
> post-proxy {
>         eap
> }
> 
> clients.conf:
> client angelina {
>         ipaddr = 192.168.205.6
>         secret = testing123
> }
> client tplink {
>         ipaddr = 192.168.205.29
>         secret = testing123
> }
> 
> # radtest teste secret angelina 1812 testing123
> Sending Access-Request of id 48 to 192.168.205.6 port 1812
>         User-Name = "teste"
>         User-Password = "secret"
>         NAS-IP-Address = 192.168.205.6
>         NAS-Port = 1812
> rad_recv: Access-Accept packet from host 192.168.205.6 port 1812,
> id=48, length=64
>         Filter-Id = "Enterasys:version=1:policy=Enterprise User"
> 

Ok, but what about a debug from a request made a XP client using PEAP 
connected to your switch?



More information about the Freeradius-Users mailing list