802.1x host/machine authentication
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 20 16:17:41 CEST 2010
On 20/10/10 12:22, Chidanand Gangur wrote:
> Hi,
>
> I have following setup
>
> where windows host is connected to Cisco 2960 which is connected to
> Microsoft AD via RADIUS proxy
>
> Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
> Microsoft AD (2003)
>
> In the above setup user authentication goes fine. I am using PEAP v1
> authentication.
>
> I am struggling hard to make host authentication successful.
>
> When the machine boots I see radius Access-Request with User-Name =
> "host/radhost1.testad1.com" which
> qualifies to IPASS type realm and searches for realm as "host" and
> things do not work.
No - it's not an IPASS realm. You need to disable the IPASS module.
host/machine.domain.com
corresponds to:
DOMAIN\machine$
i.e. the machine account.
The "mschap" module can expand this, for example if you have the
"ntlm_auth" helper to authenticate MS-CHAP against a windows domain
using samba as a helper:
ntlm_auth = "... --username=%{mschap:User-Name} ..."
...will do the right thing.
>
> Please point me to links/docs or give me pointer where/how to start.
Post the full debug output, not an edited version.
> Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
> Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
> Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
This is EAP-MD5. You have not configured your windows client correctly.
Configure it correctly for PEAP/MS-CHAP.
More information about the Freeradius-Users
mailing list