> McNutt, Justin M. wrote: > > New member to the list, here. I have a question about AD > computer-based > > authentication. Basically, how is it accomplished? > > http://deployingradius.com/documents/configuration/active_directory.html > > It's pretty much the same as normal user authentication. PEAP goes > in, authentication goes out, never a miscommunication. :)
If I recall, we used this walkthrough to get user authentication to work (which it does), but it still doesn't work for host authentication. This is keeping in mind that users' creds come across as "NT-LIKE-DOMAIN\\USERID" but hosts appear as "host\\computer.ad.domain.name" AND that "NT-LIKE-DOMAIN" and "ad.domain.name" do not look at all alike. I'll re-read the link, though, just to be sure. > So... what goes wrong? For users, it's a number of things. Bad passwords. Attempts to use EAP-TLS or EAP-MD5 (which we don't support). Misspelled or missing domain names. That sort of thing. For the hosts, it Just Doesn't Work. I have yet to determine why. (More research.) > Post the debug log from a failed session. Will do. (Pulling just the relevant bits out will be difficult, given the verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so it shouldn't take long.) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
