Freeradius + AD + WiFi + EAP
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Mon Sep 13 18:04:46 CEST 2010
Hi,
> peap {
>
> default_eap_type = mschapv2
> copy_request_to_tunnel = no
> use_tunneled_reply = no
personally, I'd advise that you set those to yes rather than no.
> File /etc/raddb/users
>
> DEFAULT Auth-Type = ntlm_auth
you dont need to do this. ever. we do PEAP and dont have such a line - in fact,
the only time you need to est this is if you need to break the system in a wierd
way
> Files /etc/raddb/sites-enable/inner-tunnel and /etc/raddb/sites-enable/default
>
> authenticate {
> ....
> ntlm_auth
> ...
> }
no no no. leave the inner-tunnel and default exactly as you found them - it will work out
of the box. what guide were you following to get this working? I ask because if there
is some document out there than it needs to be taken down.
> [root at radiusserver etc]# ntlm_auth --request-nt-key --domain=MYDOMAINTEST --username=testuser01 --password=test
> NT_STATUS_OK: Success (0x0)
good, that bits fine
> [root at radiusserver /]# radtest testuser01 test localhost 0 teste123
> Sending Access-Request of id 51 to 127.0.0.1 port 1812
> User-Name = "testuser01"
> User-Password = "test"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=51, length=20
and all thats done is a basic PAP test. you'd need to use more advanced tools such as eapol_test
from the wpa_supplicant package for actually simulating a standard Windows client that is
doing an EAP method - with an EAP test your packets would be proxied into the inner-tunnel
virtual server...
alan
More information about the Freeradius-Users
mailing list