hey freeRADIUS users, the testlab looks like
Windows 2003 (AD) <---> Freeradius <---> Enterasys switch/Cisco WLAN <---> Linux/MS-Client 802.1x via PEAP works, so the next step is machine authentication to get also a 802.1x Domain login. like in this post (http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-November/058021.html) we have upgradet our releases: Samba: Version 3.0.23c FreeRADIUS Version 1.1.2 the supplicant is the original Windows supplicant and machine authentication is activated. Because we are working with the policy system from enterasys the normal user authentication starts with a ldap request to the active directory for group to policy mapping. Therefore we have such user-entries: DEFAULT LDAP-Group == "CN=adminrole,CN=users,DC=isalab,DC=local", Huntgroup-Name == "enterasys", Realm == ISALAB.local Filter-ID == "Enterasys:version=1:mgmt=su:policy=adminrole", Reply-Message = "Welcome %{Stripped-User-Name:-%{User-Name:-None}} in the %{Realm} - Domain, there are no restrictions for you in this network", Fall-Through = No So there will be the LDAP request for the group adminrole and then it will be sent to the switch with the above filter-ID. This works good for user-auth, but with machine auth now there are problems because I see the machine LDAP-request now for host/it88.isalab.local and that fails: ============================================= .... Nov 9 15:30:02 Xradius radius: rlm_ldap: object not found or got ambiguous search result Nov 9 15:30:02 Xradius radius: rlm_ldap::ldap_groupcmp: search failed Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_release_conn: Release Id: 0 Nov 9 15:30:02 Xradius radius: rlm_ldap: Entering ldap_groupcmp() Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_get_conn: Checking Id: 0 Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_get_conn: Got Id: 0 Nov 9 15:30:02 Xradius radius: rlm_ldap: object not found or got ambiguous search result Nov 9 15:30:02 Xradius radius: rlm_ldap::ldap_groupcmp: search failed Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_release_conn: Release Id: 0 Nov 9 15:30:02 Xradius radius: rlm_ldap: - authorize Nov 9 15:30:02 Xradius radius: rlm_ldap: performing user authorization for host/it88.isalab.local Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_get_conn: Checking Id: 0 Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_get_conn: Got Id: 0 Nov 9 15:30:02 Xradius radius: rlm_ldap: object not found or got ambiguous search result Nov 9 15:30:02 Xradius radius: rlm_ldap: search failed Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_release_conn: Release Id: 0 Nov 9 15:30:02 Xradius radius: Login incorrect (rlm_ldap: User not found): [host/it88.isalab.local/<no User-Password attribute>] (from client enterasys port 31005 cli 00-04-75-18-1B-82) Nov 9 15:30:20 Xradius radius: rad_recv: Access-Request packet from host 141.201.43.115:41722, id=8, length=167 Nov 9 15:30:20 Xradius radius: Sending Access-Reject of id 10 to 141.201.43.115 port 41721 Nov 9 15:30:20 Xradius radius: Reply-Message = "Authentication failed ... no access" Nov 9 15:30:20 Xradius radius: Sending Access-Reject of id 35 to 141.201.43.115 port 41720 Nov 9 15:30:20 Xradius radius: Reply-Message = "Authentication failed ... no access" Nov 9 15:30:20 Xradius radius: Message-Authenticator = 0x59025dcce5cd0abfa5433e98b7716282 Nov 9 15:30:20 Xradius radius: User-Name = "host/it88.isalab.local" Nov 9 15:30:20 Xradius radius: NAS-IP-Address = 141.201.43.115 Nov 9 15:30:20 Xradius radius: Called-Station-Id = "00-E0-63-93-75-B3" Nov 9 15:30:20 Xradius radius: NAS-Port = 31005 Nov 9 15:30:20 Xradius radius: NAS-Port-Id = "fe.3.5" Nov 9 15:30:20 Xradius radius: NAS-Port-Type = Ethernet Nov 9 15:30:20 Xradius radius: Service-Type = Framed-User Nov 9 15:30:20 Xradius radius: Calling-Station-Id = "00-04-75-18-1B-82" Nov 9 15:30:20 Xradius radius: EAP-Message = 0x0201001b01686f73742f697438382e6973616c61622e6c6f63616c Nov 9 15:30:20 Xradius radius: Framed-MTU = 1300 ============================================= Then I've tested a bit with ntlm_auth: 16:11:57 Xradius /etc/raddb [root]ntlm_auth --request-key --domain=ISALAB.LOCAL --username=host/it88.isalab.local password: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) ... so I think this is the wrong request! with: 16:12:38 Xradius /etc/raddb [root]ntlm_auth --request-key --domain=ISALAB.LOCAL --username=it88$ password: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) I get the wrong password, so I think this user/machine is available! any ideas how to go on?!? thanks mIke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html