802.1x host/machine authentication

Phil Mayers p.mayers at imperial.ac.uk
Wed Oct 20 16:17:41 CEST 2010


On 20/10/10 12:22, Chidanand Gangur wrote:
> Hi,
>
> I have following setup
>
> where windows host  is connected to Cisco 2960  which is connected to
> Microsoft AD via RADIUS proxy
>
> Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
> Microsoft AD (2003)
>
> In the above setup user authentication goes fine. I am using PEAP v1
> authentication.
>
> I am struggling hard to make host authentication successful.
>
> When the machine boots I see radius Access-Request with User-Name =
> "host/radhost1.testad1.com" which
> qualifies to IPASS type realm and searches for realm as "host" and
> things do not work.

No - it's not an IPASS realm. You need to disable the IPASS module.

host/machine.domain.com

corresponds to:

DOMAIN\machine$

i.e. the machine account.

The "mschap" module can expand this, for example if you have the 
"ntlm_auth" helper to authenticate MS-CHAP against a windows domain 
using samba as a helper:

ntlm_auth = "... --username=%{mschap:User-Name} ..."

...will do the right thing.

>
> Please point me to links/docs or give me pointer where/how to start.

Post the full debug output, not an edited version.

> Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
> Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
> Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge

This is EAP-MD5. You have not configured your windows client correctly. 
Configure it correctly for PEAP/MS-CHAP.



More information about the Freeradius-Users mailing list