RADIUS Questions
Garber, Neal
Neal.Garber at iberdrolausa.com
Tue Jul 26 21:30:43 CEST 2011
You didn't give much information regarding your
environment, so some of the responses below are
based upon assumptions: that you manage all devices
that are connecting, that they are joined to your
A/D domain and that you are using the Windows
supplicant.
You haven't said what version of Windows you
are running and what version of FreeRADIUS
you are running!
> Currently with Windows machines I can't just connect to
> the SSID and enter in a username and password. I have
> to go and manually add the SSID, modify some settings;
If you are referring to PEAP vs. TLS, that's a Windows XP
issue. XP defaults to TLS and won't connect automatically
if you are using PEAP. However, you can push wireless
policy to your Windows devices using A/D group policy
and set this up automatically.
> specifically turning off validating server certificate
This is a bad idea as you could be passing your credentials
to someone else's RADIUS server. It's best to generate a
certificate signed by an internal Certificate Authority
and require a cert signed by that CA in your 802.1x config.
This too can be pushed to Windows devices as part of your
A/D policy assuming they are joined to your domain and
run Windows.
> turning off automatically use my Windows login, and
> turning on User or computer authentication mode.
Why do you want to use manual authentication as opposed to
automatic? If the machines that are connecting are joined
to your A/D domain, you may want to consider using machine
authentication. User authentication, in the current release, doesn't support MS-CHAP password change. Also, user authentication with the Windows supplicant requires the
presence of cached credentials (because you logon locally
first and then connect to the wireless network) which may
not match current A/D credentials.
> error messsage was: winbind client not authorized to
> use winbindd_pam_auth_crap. Ensure permissions on
> /var/cache/samba/winbindd_privileged are set correctly.
Use "sudo wbinfo" or run it as root if you don't use sudo.
That said, wbinfo isn't used by FreeRADIUS to authenticate
to A/D (ntlm_auth is used for PEAP/MS-CHAPv2).
More information about the Freeradius-Users
mailing list