Help with chap

Alan DeKok aland at deployingradius.com
Sat May 18 14:37:22 CEST 2013 

Franks Andy (RLZ) IT Systems Engineer wrote:
> ... It worked brilliantly in testing, but come
> production, when i reboot the switch or clear the authentication on the
> ports it can take up to ten minutes for 10-15 clients to authenticate,

  That's bad.  10-15 clients should be done in a second or so.

  My guess is that the ntlm_auth process is taking a *long* time.  Maybe
your DNS settings are broken.

  Set up a test server.  Run it in debugging mode and see.  If the
authentication takes more than a second or so (wtih debug messages),
something is wrong.

> - Synch the content of the AD OU I have the mac address "users" in to an
> SQL database, maybe using vbscript/.net, including any state information
> like whether the account is disabled or expired and test against these
> custom fields during authentication.

  That will work for MS-CHAP.  Not for CHAP.

> The authorisation process I
> currently have running against ldap doesn't pick up the account
> information being expired, maybe I need to look into this. I want to be
> able ideally to feed information back following a successful
> authentication to a custom attribute in AD, which is quite possible with
> an SQL database as an "intermediary", for example switch and port ID,
> useful stuff to know. I can't think of any native linux apps that can
> change AD attributes, excluding samba doing groups and passwords, maybe
> there is one?

  A normal LDAP client should work.

> - Use ldap as an authentication method? I know that AD will never give
> me back a password, but since this is mac authentication I was wondering
> if in the authorisation bit of the virtual server I could update the
> cleartext-password attribute based on the username as the two details
> are always identical in mac based auth, and then perform authentication
> with a known password. Maybe this would pick up locked usernames
> instead, again not sure about MS ldap in this area, never tried.

  If it's MAC authentication, then FreeRADIUS can do the CHAP checking
itself.  And there's no point in doing *more* authentication.  The only
reasonable thing to do is various checks in LDAP for the MAC address.

> - use nps as a proxy for the authentication. I don't really want to do
> this, but nps will (I think) allow chap / AD authentication.

  No, it won't.  It's impossible.

> Any ideas which of these / other would be the right direction to follow?
> Need to do this in a hurry as the next switch is rolling out soon so
> don't have time to look into all of them..

  Step 1: find out what's wrong with the current system.

  If something is broken, fix it.  Don't work around the problem.  That
makes it worse.

  Alan DeKok.

More information about the Freeradius-Users mailing list