Well, yes - it does proxy them fine.. But is the request from the switch a MS-CHAP one? I don't think it is..
The switch will be sending a PAP request, not a MS-CHAP one, and so you'll need to configure FreeRADIUS to take the PAP request and auth that against AD. As the switch isn't sending a MS-CHAP request then FreeRADIUS can't process it as such, and so MS-CHAP module returns noop. Unfortunately, I'm not clued up enough on FreeRADIUS to help you with this config, but in essence this is what I think you need to do to achieve your goal. 2008/12/3 Ben Little <[EMAIL PROTECTED]> > yeah I'm trying to authenticate and authorize administrative tty session > to the cisco equipment itself, not 802.1x for clients on the network. If > it's not possible I guess it's not possible. It does kind of make me wonder > how the Cisco ACS works though because that 'proxies' radius or tacacs+ > authen and author requests to active directory quite nicely. > > ------------------------------ > > *From:* freeradius-users-bounces+blittle=skylight.com@ > lists.freeradius.org > [mailto:freeradius-users-bounces+blittle<freeradius-users-bounces%2Bblittle> > [EMAIL PROTECTED] *On Behalf Of *Rupert Finnigan > *Sent:* Wednesday, December 03, 2008 2:04 PM > *To:* FreeRadius users mailing list > *Subject:* Re: Beating a dead horse, or freeradius 2.1.1 and active > directory > > Hi, > > I'm not sure if what you're doing is going to work.. You're trying to use > MS-CHAP to handle terminal session logins, I think.. Most of the MS-CHAP > advise given so far is to get EAP working from a client, say a XP laptop > doing 802.1X to gain access to a switchport. > > Someone will definitely correct me if I'm wrong, but I thought you could > only do PAP (or CHAP???) for Authentication to a Terminal line. In which > case, you either have to use the plain old users file, use a database such > as mysql, or (probably a better solution) use the LDAP module to bind to the > AD with the supplied username and password, and allow access if successful. > > Like I say - I'm really unsure on this one, but as no-ones replied for a > while I though it might help... > > Thanks, > > Rupes > > 2008/12/3 Ben Little <[EMAIL PROTECTED]> > >> >> PAP is working: >> >> ++[pap] returns updated >> Found Auth-Type = PAP >> +- entering group PAP {...} >> [pap] login attempt with password "secretz" >> [pap] Using clear text password "secretz" >> [pap] User authenticated successfully >> ++[pap] returns ok >> +- entering group post-auth {...} >> ++[exec] returns noop >> Sending Access-Accept of id 21 to *.*.*.* port 1645 >> Cisco-AVPair = "shell:priv-lvl=15" >> Finished request 1. >> Going to the next request >> Waking up in 4.9 seconds. >> Cleaning up request 1 ID 21 with timestamp +431 >> Ready to process requests. >> >> For some reason though, even when configured to do so, the authentication >> attempt coming from a switch or router is not being forwarded to the KDC. I >> have followed that how-to now to the letter and Active Directory is not >> working, however active directory and krb are both working fine on the >> server; >> >> [wbinfo -a test%test output] >> plaintext password authentication failed >> Could not authenticate user test%test with plaintext password >> challenge/response password authentication succeeded >> >> I'm not sure what I am missing here? Why isn't the login attempt on the >> switch being forwarded to active directory? Is there something within the >> switch that meeds to be set? A radius attribute maybe to identify the login >> attempt as mschap? >> >> > >> > Howto will show you how to set up and test with pap first: >> > >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
