New User and AD Question

McNutt, Justin M. McNuttJ at missouri.edu
Mon Feb 28 21:43:46 CET 2011 

Removing the shared secrets, LDAP user passwords, etc. was the redacting I was talking about.  That, and removing the thousands of messages related to other users' auth attempts, if I had had to do this on a production server.

Fortunately, that wasn't necessary.  I was able to get a valid debug log from the test server.

--J 

> -----Original Message-----
> From: 
> freeradius-users-bounces+mcnuttj=missouri.edu at lists.freeradius
> .org 
> [mailto:freeradius-users-bounces+mcnuttj=missouri.edu at lists.fr
> eeradius.org] On Behalf Of Sallee, Stephen (Jake)
> Sent: Sunday, February 27, 2011 4:05 PM
> To: FreeRadius users mailing list
> Subject: RE: New User and AD Question
> 
> Two comments about posting logs ... 
> 
> #1 Post the entire log of radiusd -X (NOT -XX, that has a 
> bunch of timestamps we don't need) and don't redact anything 
> that's not privileged info, you can very easily remove the 
> portion of the log that holds the answer to your questions.
> 
> #2  your output of radiusd -X WILL CONTAIN your SSL cert 
> passwords in CLEAR TEXT!  So make sure you remember to scrub 
> them of any info you don't want becoming public.
> 
> Jake Sallee
> Godfather Of Bandwidth
> Network Engineer
> 
> Fone: 254-295-4658
> Phax: 254-295-4221
> 
> 
> -----Original Message-----
> From: 
> freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius
> .org 
> [mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.fr
> eeradius.org] On Behalf Of McNutt, Justin M.
> Sent: Sunday, February 27, 2011 2:05 PM
> To: FreeRadius users mailing list
> Subject: RE: New User and AD Question
> 
> > McNutt, Justin M. wrote:
> > > New member to the list, here.  I have a question about AD
> > computer-based
> > > authentication.  Basically, how is it accomplished?
> > 
> > 
> http://deployingradius.com/documents/configuration/active_directory.ht
> > ml
> > 
> >   It's pretty much the same as normal user authentication.  
> PEAP goes 
> > in, authentication goes out, never a miscommunication. :)
> 
> If I recall, we used this walkthrough to get user 
> authentication to work (which it does), but it still doesn't 
> work for host authentication.  This is keeping in mind that 
> users' creds come across as "NT-LIKE-DOMAIN\\USERID" but 
> hosts appear as "host\\computer.ad.domain.name" AND that 
> "NT-LIKE-DOMAIN" and "ad.domain.name" do not look at all alike.
> 
> I'll re-read the link, though, just to be sure.
> 
> >   So... what goes wrong?
> 
> For users, it's a number of things.  Bad passwords.  Attempts 
> to use EAP-TLS or EAP-MD5 (which we don't support).  
> Misspelled or missing domain names.  That sort of thing.
> 
> For the hosts, it Just Doesn't Work.  I have yet to determine 
> why.  (More research.)
> 
> >   Post the debug log from a failed session.
> 
> Will do.  (Pulling just the relevant bits out will be 
> difficult, given the verbosity of 'radiusd -X' but I have no 
> shortage of hosts attempting this, so it shouldn't take long.)
> 
> --J
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list