On Apr 8, 2009, at 11:28 AM, john wrote:
Can you suggest a way to test the cert?
Well, you can use the openssl utility to see what your server certificate contains:
$ openssl x509 -text -in <server-cert-file>
Wireshark tells me that my 3Com 3226 switch is sending an eap reject immediately after I connect the supplicant to a port protected with .1x. I don't see any traffic between the switch and freeradius so I am wondering if the switch doesn't support peap? Perhaps I should back off and try md5 or something?
Your switch doesn't *need* to support any particular EAP type because the EAP exchange is actually between the supplicant and RADIUS. Your switch just passes the messages back and forth between the two. If you see your switch doing EAP with the supplicant (i.e. EAP is happening, but you don't see it at the RADIUS server), your switch may be doing what some vendors call 'EAP off-loading'. In other words, the switch is handling EAP to get at the credentials it eventually authenticates against RADIUS. But I don't know if 3Com switches do this, and if they do, it's probably not default.
Also since I am throwing out the litany of my ignorance I haven't solved in a good way a complaint that I get when I am testing via 'wbinfo -a username%password'. I've had to chmod 777 /var/run/samba/winbindd_privileged in order to use the socket, of course restarting winbind resets the perms here. I saw something about enabling extending acls's on the file system to work around this issue. I'd be interested to know what you ended up doing.
Just add the freerad user to the winbindd_priv group. Mike Loosbrock Bethel University Network Services 651-638-6723 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
