New User and AD Question

Sallee, Stephen (Jake) Jake.Sallee at umhb.edu
Sun Feb 27 23:04:56 CET 2011 

Two comments about posting logs ... 

#1 Post the entire log of radiusd -X (NOT -XX, that has a bunch of timestamps we don't need) and don't redact anything that's not privileged info, you can very easily remove the portion of the log that holds the answer to your questions.

#2  your output of radiusd -X WILL CONTAIN your SSL cert passwords in CLEAR TEXT!  So make sure you remember to scrub them of any info you don't want becoming public.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-----Original Message-----
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] On Behalf Of McNutt, Justin M.
Sent: Sunday, February 27, 2011 2:05 PM
To: FreeRadius users mailing list
Subject: RE: New User and AD Question

> McNutt, Justin M. wrote:
> > New member to the list, here.  I have a question about AD
> computer-based
> > authentication.  Basically, how is it accomplished?
> 
> http://deployingradius.com/documents/configuration/active_directory.ht
> ml
> 
>   It's pretty much the same as normal user authentication.  PEAP goes 
> in, authentication goes out, never a miscommunication. :)

If I recall, we used this walkthrough to get user authentication to work (which it does), but it still doesn't work for host authentication.  This is keeping in mind that users' creds come across as "NT-LIKE-DOMAIN\\USERID" but hosts appear as "host\\computer.ad.domain.name" AND that "NT-LIKE-DOMAIN" and "ad.domain.name" do not look at all alike.

I'll re-read the link, though, just to be sure.

>   So... what goes wrong?

For users, it's a number of things.  Bad passwords.  Attempts to use EAP-TLS or EAP-MD5 (which we don't support).  Misspelled or missing domain names.  That sort of thing.

For the hosts, it Just Doesn't Work.  I have yet to determine why.  (More research.)

>   Post the debug log from a failed session.

Will do.  (Pulling just the relevant bits out will be difficult, given the verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so it shouldn't take long.)

--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list