AD Authentication + radius + foundryAP

Mark Pipkin Mark.Pipkin at air2web.com
Fri May 20 16:28:41 CEST 2011


I don't like leaving things unresolved and just laying around like so
many other post that I have ran across.  I guess Alan DeKok scares them
off with the "It's in plain view dumb ass" attitude.  I'm sure after
answering the questions over and over again, it is about the only
response that someone can give who it just tired of the same old
questions and wants a challenge.

With that being said...

On Ubuntu 10.04 w/ updates, FreeRadius 2.1.8, Windows XP/7, and W2K AD

The wiki has a HowTo on AD
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO

At the very top of this page there is:

Updated tutorial for freeradius 2.x is at:
http://deployingradius.com/documents/configuration/active_directory.html

This is all well and good, but I jumped straight to that link.  There
seems to be some information that is left out and that is important in
the "Updated tutorial." 

With all of the frustration I nuked all of FreeRadius from the server
using 'aptitude purge freeradius freeradius-common freeradius-utils'.
This cleaned up all of my changes.  Then I reinstalled FreeRadius.

>From here I followed the "Updated tutorial" until I got to: Configuring
FreeRADIUS to use ntlm_auth for MS-CHAP.  When I reached this section,
and I had everything working, I went back to the original HowTo and read
though it. (note to self: don't just a head just because a HowTo seems
to good to be true.

The "Updated tutorial" doesn't let you know anything about peap,
with_ntdomain_hack, the default setting of eap, or setting up clients.
So it is not, in my opinion a complete walk though.

There is light though.  Once you I got to the point where ntlm_auth was
working for me, I started back on the wiki HowTo and went to the section
'Configuration of clients.conf'.


Set the client up.
Client foundryAP {
	Ipaddr = 192.168.0.1
	Secret = testing123
}

In the Configuration of radius.conf section (this parts seems more like
the 1. Config) the 'with_ntdomain_hack = yes' this was found in the
~/modules/mschap file.  You don't need 'auth-type = MS-CHAP'.

For ntlm_auth I'm using:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=DOMAIN+group"

The eap.conf section of the HowTo was spot on.  I also set the clients
up, this was pointed out to me earlier in this tread twice, so make sure
your client is setup correctly as well.

Currently everything is working.  I'm able to authenticate though radius
using Windows 2000 AD. 

Resolved.




More information about the Freeradius-Users mailing list