Renaming during Machine Authentication
Gary Gatten
Ggatten at waddell.com
Thu May 19 20:00:52 CEST 2011
Yeah, not sure what "Abooba" does when it terminates PEAP, but it weirds things out sometimes. Still doesn't explain why XP just worked but W7 had bunches of issues, but I can attest that making the Abooba controllers pas *eap to FR works better - maybe works 100%.
The only thing we noticed is, if Abooba does NOT terminate PEAP - there is no "local" login option available. We had our two FR servers configured as well as local login (as last resort). I guess now we need to be REALLY sure at least one FR server is up all the time!
G
________________________________
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Mark Jones
Sent: Thursday, May 19, 2011 12:15 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: Renaming during Machine Authentication
This is on a samba domain Phil as per the cool solutions article I mentioned in an earlier post. I am looking into my Aruba settings now for termination
Mark
>>> Phil Mayers <p.mayers at imperial.ac.uk> 5/19/2011 1:58 AM >>>
> User-Name = "host/TECH-11501"
Machines which are in the domain normally have this as:
host/name.domain.com
i.e. there is a "domain.com" at the end of the name.
The absence of that suggests to me that the machine is not a domain
member. Is that the case? If so, it cannot do machine auth.
> Calling-Station-Id = "00265EE9B2CA"
> Called-Station-Id = "000B86611894"
> MS-CHAP-Challenge = 0x5551e00f40ce355de8053dbc2f64b5dd
> MS-CHAP2-Response =
> 0x0700226e95f1d0ae4efe8f381fd3714c7b0f0000000000000000904f33f5941ab6017f433da0f45438dc665447e9d6510a2d
> Service-Type = Login-User
> Aruba-Essid-Name = "HPSD_RAD2"
> Aruba-Location-Id = "Tech 01"
Great. More Aruba, probably terminating the PEAP locally. What a junky
product.
See other posts on the list in the past few days - you should DISABLE
"terminate PEAP" (or whatever the option is) on your Aruba equipment,
and let it do the EAP/PEAP.
> +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: host/TECH-11501
> [mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password
> [mschap] FAILED: MS-CHAP2-Response is incorrect
Hmm. Indicating the password is not correct or the EAP has been fiddled
with.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110519/37a8ccc6/attachment.html>
More information about the Freeradius-Users
mailing list