802.1x host/machine authentication

Chidanand Gangur chidanand.gangur at gmail.com
Wed Oct 20 13:22:56 CEST 2010


Hi,

I have following setup

where windows host  is connected to Cisco 2960  which is connected to
Microsoft AD via RADIUS proxy

Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
Microsoft AD (2003)

In the above setup user authentication goes fine. I am using PEAP v1
authentication.

I am struggling hard to make host authentication successful.

When the machine boots I see radius Access-Request with User-Name = "host/
radhost1.testad1.com" which qualifies to IPASS type realm and searches for
realm as "host" and things do not work.

Please point me to links/docs or give me pointer where/how to start.

rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141,
length=165
User-Name = "host/radhost1.testad1.com"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-21-D7-00-51-89"
Calling-Station-Id = "00-13-20-38-33-27"
EAP-Message = 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d
Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87
NAS-Port-Type = Ethernet
NAS-Port = 50009
NAS-IP-Address = 192.168.6.200
Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...}
Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok
Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for
User-Name = "host/radhost1.testad1.com"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name = "
radhost1.testad1.com"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL.
Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok
Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok
Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied.
Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok
Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied.
Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26 length
30
Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated
Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound
Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop
Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop
Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP
Wed Oct 20 07:27:48 2010 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...}
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 141 to 192.168.6.200 port 1645
EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6d4e1d1a6d5519217cdc7f95e535c25b
Wed Oct 20 07:27:48 2010 : Info: Finished request 48.
Wed Oct 20 07:27:48 2010 : Debug: Going to the next request
Wed Oct 20 07:27:48 2010 : Debug: Waking up in 4.9 seconds.


Thanks & Regards

-- 
Chidanand Gangur
Pune.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101020/f5d96675/attachment.html>


More information about the Freeradius-Users mailing list