> -----Original Message----- > From: > [EMAIL PROTECTED] > ists.freer > adius.org > [mailto:freeradius-users-bounces+sburton=shepherd-construction > [EMAIL PROTECTED] > ts.freeradius.org]On Behalf Of Josh Howlett > Sent: 12 April 2006 11:48 > To: FreeRadius users mailing list > Subject: Re: How do I set up simple AD integration? > > > Burton, Steven wrote: > > > >> -----Original Message----- > >> From: > >> [EMAIL PROTECTED] > >> ists.freer > >> adius.org > >> [mailto:freeradius-users-bounces+sburton=shepherd-construction > >> [EMAIL PROTECTED] > >> ts.freeradius.org]On Behalf Of Alan DeKok > >> Sent: 11 April 2006 16:28 > >> To: FreeRadius users mailing list > >> Subject: Re: How do I set up simple AD integration? > >> > >> > >> "Burton, Steven" <[EMAIL PROTECTED]> wrote: > >>> This stanza is a enclosed with the mschap section, still > >> nothing ventured.... > >>> I changed the line and unfolded it and ran radiusd -X. The first > >>> request didn't match anything usefull and was rejected by > System. I > >>> tried again but ticked the box 'CHAP' on NTRadPing and got the > >>> output: > >> You can't do CHAP to MS AD. It's impossible. > >> > >> Alan DeKok. > > > > My bad! I'd been staring at mschap all day and I saw chap > and thought mschap. > > I still hope to get 802.1x working with FR before I'm told > to stop wasting time and buy something :-) but after two and > a half days (on and off) I'm no closer. > > Steve, > > I strongly suggest you start off doing PEAP against the 'users' file, > and once that's working get the domain stuff working. > > It sounds to me like you're trying to do too much at once, > and too many > things are broken for you to know where to start! > > Once you've got PEAP working against the 'users' file, create > a machine > account in the AD for the RADIUS server (using the Samba > tools) and then > use the ntlm_auth program (that comes with Samba) to test standard > authentication. > > Once you've got that far, it's just a matter of configuring > FreeRADIUS > to use ntlm_auth. But you can worry about that later :-) > > This isn't difficult, it's largely a matter of making sure you do the > right steps in the right order... > > best regards, josh. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Well, IT'S WORKING!! Thank you all for your help, advice and support.
Alas, I didn't backup the files last night so I'm not sure exactly what I did to make it work but I can now see it authenticating and then the connection is made. I have set it to put user names in the log and I hope to have it write accounting logs soon. More worryingly, I'm seeing this error message in radiusd.log: Wed Apr 12 13:20:48 2006 : Info: rlm_exec: Wait=yes but no output defined. Did y ou mean output=none? Wed Apr 12 13:20:48 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Apr 12 13:20:48 2006 : Info: Ready to process requests. Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:06 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:07 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms? ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
