Request for directions: WinXP + Samba + LDAP + 802.1x
nf-vale
nf-vale at critical-links.com
Fri Dec 11 19:46:11 CET 2009
On Friday 11 December 2009 18:32:02 Fabiano Caixeta Duarte wrote:
> 2009/12/11 nf-vale <nf-vale at critical-links.com>:
> > On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote:
> >> Maybe I didn't make myself clear.
> >>
> >> I don't have AD and don't wanna. I did set clients to use 802.1x
> >>
> >> Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it
> >> would depend on what you'd answer about my first question.
> >
> > Set XP clients to use 802.1x PEAP and don't forget to add your nas client
> > (switch) to the clients.conf file in radius.
> >
> > You should provide some more info about your current configuration
> > (freeradius version, files modified by you, etc) and at least some debug
> > (radiusd -X) from a client authentication request for people to
> > understand were have you get so far.
>
> Ok. Let's follow that path.
>
> The confs I touched:
>
> eap.conf:
> eap {
> default_eap_type = peap
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 2048
> md5 {
> }
> leap {
> }
> gtc {
> auth_type = PAP
> }
> tls {
> certdir = ${confdir}/certs
> cadir = ${confdir}/certs
> private_key_password = whatever
> private_key_file = ${certdir}/server.pem
> certificate_file = ${certdir}/server.pem
> CA_file = ${cadir}/ca.pem
> dh_file = ${certdir}/dh
> random_file = ${certdir}/random
> cipher_list = "DEFAULT"
> make_cert_command = "${certdir}/bootstrap"
> cache {
> enable = no
> max_entries = 255
> }
> }
> ttls {
> default_eap_type = md5
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> }
> peap {
> default_eap_type = mschapv2
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> }
> mschapv2 {
> }
> }
>
> modules/ldap:
> ldap {
> server = "sti-teste.domain.br"
> identity = "cn=system,dc=domain,dc=br"
> password = secret
> basedn = "ou=Users,dc=domain,dc=br"
> base_filter = "(objectclass=radiusprofile)"
> ldap_connections_number = 5
> timeout = 4
> timelimit = 3
> net_timeout = 1
> tls {
> start_tls = no
> }
> access_attr = "radiusFilterId"
> dictionary_mapping = ${confdir}/ldap.attrmap
> authtype = ldap
> edir_account_policy_check = no
> }
>
> sites-enabled/inner-tunnel:
> server inner-tunnel {
> authorize {
> chap
> mschap
> unix
> suffix
> update control {
> Proxy-To-Realm := LOCAL
> }
> eap {
> ok = return
> }
> files
> ldap
> expiration
> logintime
> pap
> }
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> unix
> Auth-Type LDAP {
> ldap
> }
> eap
> }
> session {
> radutmp
> }
> post-auth {
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> }
> }
> pre-proxy {
> }
> post-proxy {
> eap
> }
>
> clients.conf:
> client angelina {
> ipaddr = 192.168.205.6
> secret = testing123
> }
> client tplink {
> ipaddr = 192.168.205.29
> secret = testing123
> }
>
> # radtest teste secret angelina 1812 testing123
> Sending Access-Request of id 48 to 192.168.205.6 port 1812
> User-Name = "teste"
> User-Password = "secret"
> NAS-IP-Address = 192.168.205.6
> NAS-Port = 1812
> rad_recv: Access-Accept packet from host 192.168.205.6 port 1812,
> id=48, length=64
> Filter-Id = "Enterasys:version=1:policy=Enterprise User"
>
Ok, but what about a debug from a request made a XP client using PEAP
connected to your switch?
More information about the Freeradius-Users
mailing list