Freeradius + AD + WiFi + EAP

Alan Buxey A.L.M.Buxey at
Mon Sep 13 18:04:46 CEST 2010


> peap {
>             default_eap_type = mschapv2
>             copy_request_to_tunnel = no
>             use_tunneled_reply = no

personally, I'd advise that you set those to yes rather than no.

> File /etc/raddb/users
> DEFAULT     Auth-Type = ntlm_auth

you dont need to do this. ever. we do PEAP and dont have such a line - in fact,
the only time you need to est this is if you need to break the system in a wierd

> Files /etc/raddb/sites-enable/inner-tunnel and /etc/raddb/sites-enable/default
> authenticate {
> ....
> ntlm_auth
> ...
> }

no no no. leave the inner-tunnel and default exactly as you found them - it will work out
of the box.  what guide were you following to get this working? I ask because if there
is some document out there than it needs to be taken down.

> [root at radiusserver etc]# ntlm_auth --request-nt-key --domain=MYDOMAINTEST --username=testuser01  --password=test
> NT_STATUS_OK: Success (0x0)

good, that bits fine

> [root at radiusserver /]# radtest testuser01 test localhost 0 teste123
> Sending Access-Request of id 51 to port 1812
>     User-Name = "testuser01"
>     User-Password = "test"
>     NAS-IP-Address =
>     NAS-Port = 0
> rad_recv: Access-Accept packet from host port 1812, id=51, length=20

and all thats done is a basic PAP test. you'd need to use more advanced tools such as eapol_test
from the wpa_supplicant package for actually simulating a standard Windows client that is
doing an EAP method - with an EAP test your packets would be proxied into the inner-tunnel
virtual server...


More information about the Freeradius-Users mailing list