This isn't a comment on FreeRadius, but in our recent experiences with 802.1x and Windows XP clients it was a total waste of time. The built-in XP dot1x client is not up to the job. We had contractors in trying to make it work and everything was perfect on the network setup. In the end, Windows XP simple had issues authenticating 100% of the time (probably closer to 65%). When you do get it to authenticate properly you'll run into problems with anyone else doing an RDP to the Windows server (say your helpdesk folks) because re-authentication will kick in and drop the connection.
Your best bets are: Windows 7 for the improved dot1x client; scrap dot1x and do port-based access-lists; do VMPS with FreeRadius. ________________________________ From: freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org <freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org> To: FreeRadius users mailing list <[email protected]> Sent: Wed Oct 20 07:22:56 2010 Subject: 802.1x host/machine authentication Hi, I have following setup where windows host is connected to Cisco 2960 which is connected to Microsoft AD via RADIUS proxy Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) -> Microsoft AD (2003) In the above setup user authentication goes fine. I am using PEAP v1 authentication. I am struggling hard to make host authentication successful. When the machine boots I see radius Access-Request with User-Name = "host/radhost1.testad1.com<http://radhost1.testad1.com>" which qualifies to IPASS type realm and searches for realm as "host" and things do not work. Please point me to links/docs or give me pointer where/how to start. rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141, length=165 User-Name = "host/radhost1.testad1.com<http://radhost1.testad1.com>" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-21-D7-00-51-89" Calling-Station-Id = "00-13-20-38-33-27" EAP-Message = 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87 NAS-Port-Type = Ethernet NAS-Port = 50009 NAS-IP-Address = 192.168.6.200 Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...} Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for User-Name = "host/radhost1.testad1.com<http://radhost1.testad1.com>" Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT" Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name = "radhost1.testad1.com<http://radhost1.testad1.com>" Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT" Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL. Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied. Ignoring. Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied. Ignoring. Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied. Ignoring. Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26 length 30 Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP Wed Oct 20 07:27:48 2010 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...} Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5 Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 141 to 192.168.6.200 port 1645 EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d4e1d1a6d5519217cdc7f95e535c25b Wed Oct 20 07:27:48 2010 : Info: Finished request 48. Wed Oct 20 07:27:48 2010 : Debug: Going to the next request Wed Oct 20 07:27:48 2010 : Debug: Waking up in 4.9 seconds. Thanks & Regards -- Chidanand Gangur Pune. ________________________________ This message contains confidential information and is intended only for the individual named. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
