yeah I'm trying to authenticate and authorize administrative tty session to the
cisco equipment itself, not 802.1x for clients on the network. If it's not
possible I guess it's not possible. It does kind of make me wonder how the
Cisco ACS works though because that 'proxies' radius or tacacs+ authen and
author requests to active directory quite nicely.
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rupert
Finnigan
Sent: Wednesday, December 03, 2008 2:04 PM
To: FreeRadius users mailing list
Subject: Re: Beating a dead horse, or freeradius 2.1.1 and active
directory
Hi,
I'm not sure if what you're doing is going to work.. You're trying to
use MS-CHAP to handle terminal session logins, I think.. Most of the MS-CHAP
advise given so far is to get EAP working from a client, say a XP laptop doing
802.1X to gain access to a switchport.
Someone will definitely correct me if I'm wrong, but I thought you
could only do PAP (or CHAP???) for Authentication to a Terminal line. In which
case, you either have to use the plain old users file, use a database such as
mysql, or (probably a better solution) use the LDAP module to bind to the AD
with the supplied username and password, and allow access if successful.
Like I say - I'm really unsure on this one, but as no-ones replied for
a while I though it might help...
Thanks,
Rupes
2008/12/3 Ben Little <[EMAIL PROTECTED]>
PAP is working:
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "secretz"
[pap] Using clear text password "secretz"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 21 to *.*.*.* port 1645
Cisco-AVPair = "shell:priv-lvl=15"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 21 with timestamp +431
Ready to process requests.
For some reason though, even when configured to do so, the
authentication attempt coming from a switch or router is not being forwarded to
the KDC. I have followed that how-to now to the letter and Active Directory is
not working, however active directory and krb are both working fine on the
server;
[wbinfo -a test%test output]
plaintext password authentication failed
Could not authenticate user test%test with plaintext password
challenge/response password authentication succeeded
I'm not sure what I am missing here? Why isn't the login
attempt on the switch being forwarded to active directory? Is there something
within the switch that meeds to be set? A radius attribute maybe to identify
the login attempt as mschap?
>
> Howto will show you how to set up and test with pap first:
>
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
