question about windows users

Bartosz Chodzinski bartosz.c at gmail.com
Thu May 14 13:41:24 CEST 2009


>2.0.4 should be available for Debian.
I know, 2.0.4 freeradius is available for debian lenny but not etch
unfortunately.

>2. Use EAP-TLS to connect (Smart card or certificate in Windows speak).
Could you write me where in config put that? I tried described below but it
doesnt work
eap.conf:
        eap {
                default_eap_type = tls
                ....
              }
and I set up on xp:
local connection->properites->authentication->smart card or certificate, and
I chose my cacert.pem

how to configure it that way?
thank you for rapid answer.
Bartosz.




On Thu, May 14, 2009 at 12:54 PM, Ivan Kalik <tnt at kalik.net> wrote:

> > I have freeradius with eap support on debian etch, radius v1.1.3
>
> 2.0.4 should be available for Debian. Upgrade. Vista doesn't work with
> 1.1.3. And you will have problems with XP SP3.
>
> > "everthing" working fine but I'd like to have much more simple
> > configuration
> > only by certificate and nothing more,
> > so I have few question:
> >
> > 1.
> > fragment of my log first, before question
> > Listening on authentication *:1812
> > Listening on accounting *:1813
> > Ready to process requests.
> > rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182,
> > length=159
> >         NAS-IP-Address = 192.168.5.206
> >         NAS-Port = 50046
> >         NAS-Port-Type = Ethernet
> >         User-Name = "PC-01\\Administrator"
> >         Called-Station-Id = "00-0C-30-81-9B-EE"
> >         Calling-Station-Id = "00-0A-E4-13-1A-02"
> >         Service-Type = Framed-User
> >         Framed-MTU = 1500
> >         EAP-Message =
> > 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72
> >         Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d
> >   Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 0
> >   modcall[authorize]: module "preprocess" returns ok for request 0
> >   modcall[authorize]: module "mschap" returns noop for request 0
> >     rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up
> > realm
> > NULL
> >     rlm_realm: No such realm "NULL"
> >   modcall[authorize]: module "suffix" returns noop for request 0
> >
> > my users file contain:
> > "PC-01\\Administrator" User-Password == "passwd"
> >
> > how can I avoid this value PC-01 ?, its really annoying, I would like to
> > have only real user, PC-01 is "my computer -> properties -> computer name
> > ->
> > full computer name". I would like to have only username (with no matter
> of
> > case sensitive).
>
> 1. Don't use windows logon name. Untick that when you are making the
> connection.
>
> 2. You can't strip username in EAP. Use ntdomain. It's listed but
> commented out in default configuration.
>
> > sth like
> > "administrator" User-Password == "passwd"
> >
>
> For that to work add domain bit as local realm to proxy.conf.
>
> > 2.
> > I would like to use only certificate to check wheter or not some computer
> > should have network connection,
> > I dont care about login or password,
> > if client has a valid cacert.pem installed on pc (windows xp) it should
> > grant acces to network, is it possible to do that?
>
> Use EAP-TLS to connect (Smart card or certificate in Windows speak).
>
> > 3.
> > when I read log from freeradius -X I see that one pc need to have
> > 7requests
> > in freeradius and in 8-th request is accepted, is it ok?
> >
>
> Yes.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090514/4b7c1c02/attachment.html>


More information about the Freeradius-Users mailing list