EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level

Alan DeKok aland at deployingradius.com
Fri Oct 21 00:07:00 CEST 2016

On Oct 20, 2016, at 5:40 PM, TJ2718 via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Originally I was using CentoOS 7 with Samba 4.2.10 and FreeRadius 3.0.4 on a Windows network that was on Server 2003 and Forest Functional Level.
> We were using certificate base authentications for tablets and username and password for certain users.
> We upgraded the functional level to 2012R2 Native and it broke everything.

  That's bad...

> Neither certificates or username and passwords would get any Accepts, only Rejects.

  The debug log will show why.  Please read it.

>  I changed the config from
> ...
> Just to get people working again.  This was confirmed with two test users using 

  Since I have no idea what your configuration does, I also have no idea why changing this would affect anything.

 Again, read the debug output.  There's a *reason* we recommend reading it.

  A user successfully logging in tells you almost nothing.  The debug log from a user getting rejected when you expect him to be accepted is *much* more useful. 

> Currently:
> I built another server on CentOS 7 but built Samba 4.5.0 and FreeRadius 4.0.x
> from source to see if newer versions were more compatible,

  Don't run v4.0.x.  It's not ready for production.

  Use 3.0.12, which is the most recent stable release, and documented as such on the web site.

> again closely following the deployingfreeradius.com guides.
> I edited the config files to try and get authorization working again.
> I can get it doing the same thing where certificates and all AD users can get logged in or
> only users in the WiFi group get Accepts but none of the certificates get Accepts.
> The odd thing, or least what I don't understand is:
> Why the certificates stop working even though the computer accounts are also in the WiFi security group.

  If only the debug output had useful information about the certificates.

  ... which it does.

> I guess what it comes down to is a few of questions:
> 1.  Is Samba 4.5.0/FreeRadius 4.0.x even compatible with a 2012R2 forest functional level (schema 69) as a member server?
>     I've seen some posts stating that it's experimental as a DC but not whether a member server is working/stable.

  It should work.

> 2.  Is it compatible with a Windows Server 2016 forest functional level as we will be heading down that road soon?

  If you changed Windows and it stopped working... blame Windows.  Not FreeRADIUS.

> 3.  Should it be possible to have certificate based authorizations AND LDAP group authorizations working on the same server.
>     If yes, I would greatly appreciate any tips or help in figuring out how to get it configured correctly and working again.

  If you had it working before, it should continue to work.

  Barring things like *old* certificates, or certificates which have deprecated message digest methods.

> Thank you for any guidance you can provide,
> Travis
> radiusd -X

  Which shows the server starting up, but does *not* show it receiving any packets.  Which means it's completely useless.

  You should be able to fix this with a bit of patience.

1) install 3.0.12


3) you may need to re-issue all certificates.  Or maybe not, if the problem is only LDAP groups.

  Either way, you haven't posted enough information.  I can only make wild guesses as to what the problem is.

  Alan DeKok.

More information about the Freeradius-Users mailing list