Hello all, We are in the process of testing 802.1x authentication for future deployment on campus. Our test setup includes the following:
freeradius-snapshot-20040427 running on RHEL 3.0 AS Configured for PEAP with MSCHAPv2 using SAMBA's winbind/ntlm_auth Multiple AD domains (smb.conf points to a Global Catalog Server) Linux/Windows XP/Windows 2K/Mac OS X clients What works: 1. using "wbinfo -a domain+user%password" I can authenticate as any user in any of our domains. 2. 802.1x auths as long as I don't supply a domain and the user is in the domain that the GC is in. What doesn't work: 1. Supplying domain with login credentials. I've got a realm for each of our domains setup up and I can see the preprocess module doing its job separating domain from username. Then the MSCHAPv2 module kicks in and the call to NTLM_AUTH fails with "wrong password". 1. Keeping in mind that user1 in domain1 can auth as long as domain1 isn't supplied why does supplying domain1 cause the auth to fail? 2. What does preprocess do with realm is strips off? I'd like to be able to pass the realm as a --domain option to ntlm_auth. 3. Why does PEAP think the username is still domain/user? I see the following in the logs while running "radius -X -A" PEAP: Setting User-Name to UMC-USERS\dourtyb PEAP: Adding old state with 17 b0 PEAP: Sending tunneled request Should it be using Stripped-User-Name instead? Thanks, Brian Dourty IAT Services University of Missouri - Columbia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
