I would like help for Freeradius integration on AD domain
Martin Goldstone
m.j.goldstone at isc.keele.ac.uk
Tue May 31 17:14:54 CEST 2011
On 31/05/11 14:39, edgardolenza wrote:
> Hello everybody,
Hello
>
> I apologize because I'm new with linux and freeradius also.
> I've readen many forums and many howtos but I've got some trouble with user
> authentication on domain controller.
>
> This is my working layout:
> -I've got an appliance (radius client) getting authentication requests from
> users.
> -the client radius sends authentication requests to the freeradius (using
> CHAP)
> -freeradius has to ask to AD if the user can be authenticated
If you want to use AD, you'll be needing to use MSCHAPv2, realistically.
Most likely inside PEAP, as this is what the MS supplicants use.
Others may also play with EAP-TTLS, but from what I've seen dealing with
802.1x stuff here, it's nearly always MS-CHAPv2 on the inside (although
there are sometimes others available as well)
>
> I've configured many things and I've done many tests: freeradius server
> seems working correctly.
> The machine is in Microsoft domain, I'm able to make queries on ADs.
> When I try to authenticate with domain's I've got problems: I've put the
> debug on bottom of this message.
You need to make sure the freeradius server is joined to the domain
(therefore Samba must be installed). Also, you'll need winbindd running.
*snip*
> Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
> mschap {
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> with_ntdomain_hack = yes
> ntlm_auth = "/user/bin/ntlm_auth --request-nt-key
> --username=radiustest"
> }
Obviously you'll be wanting to fix the ntlm_auth line as well.
Hope this helps.
--
Martin Goldstone Keele University, Keele,
IT Systems Administrator Staffordshire, United Kingdom, ST5 5BG
Finance & IT Telephone: +44 1782 734457
More information about the Freeradius-Users
mailing list