Help with chap

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Sat May 18 14:26:39 CEST 2013


Hi,
  I seem to frequent this forum, hopefully one day I'll be answering some questions, not asking them.
I've recently got into mac based auth on a procurve 5406. It does either chap or peap-mschap authentication, and i'm using ntlm_auth for the mschap2 when using peap. It worked brilliantly in testing, but come production, when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, simply because the nas (i guess) gets overwhelmed and consequently I see loads of "eap did not complete" messages. These don't happen for individual transactions - they always complete fine. I can't see a way around this - we have loads of these switches..
So the question is the best way to use chap. I can't do it with ntlm_auth - so I thought of a few, possibly ridiculous options :

- Synch the content of the AD OU I have the mac address "users" in to an SQL database, maybe using vbscript/.net, including any state information like whether the account is disabled or expired and test against these custom fields during authentication. The authorisation process I currently have running against ldap doesn't pick up the account information being expired, maybe I need to look into this. I want to be able ideally to feed information back following a successful authentication to a custom attribute in AD, which is quite possible with an SQL database as an "intermediary", for example switch and port ID, useful stuff to know. I can't think of any native linux apps that can change AD attributes, excluding samba doing groups and passwords, maybe there is one?

- Use ldap as an authentication method? I know that AD will never give me back a password, but since this is mac authentication I was wondering if in the authorisation bit of the virtual server I could update the cleartext-password attribute based on the username as the two details are always identical in mac based auth, and then perform authentication with a known password. Maybe this would pick up locked usernames instead, again not sure about MS ldap in this area, never tried.

- use nps as a proxy for the authentication. I don't really want to do this, but nps will (I think) allow chap / AD authentication.

Any ideas which of these / other would be the right direction to follow? Need to do this in a hurry as the next switch is rolling out soon so don't have time to look into all of them..

Thanks
Andy


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130518/0ee14886/attachment.html>


More information about the Freeradius-Users mailing list