Removing the shared secrets, LDAP user passwords, etc. was the redacting I was talking about. That, and removing the thousands of messages related to other users' auth attempts, if I had had to do this on a production server.
Fortunately, that wasn't necessary. I was able to get a valid debug log from the test server. --J > -----Original Message----- > From: > [email protected] > .org > [mailto:[email protected] > eeradius.org] On Behalf Of Sallee, Stephen (Jake) > Sent: Sunday, February 27, 2011 4:05 PM > To: FreeRadius users mailing list > Subject: RE: New User and AD Question > > Two comments about posting logs ... > > #1 Post the entire log of radiusd -X (NOT -XX, that has a > bunch of timestamps we don't need) and don't redact anything > that's not privileged info, you can very easily remove the > portion of the log that holds the answer to your questions. > > #2 your output of radiusd -X WILL CONTAIN your SSL cert > passwords in CLEAR TEXT! So make sure you remember to scrub > them of any info you don't want becoming public. > > Jake Sallee > Godfather Of Bandwidth > Network Engineer > > Fone: 254-295-4658 > Phax: 254-295-4221 > > > -----Original Message----- > From: > [email protected] > .org > [mailto:[email protected] > eeradius.org] On Behalf Of McNutt, Justin M. > Sent: Sunday, February 27, 2011 2:05 PM > To: FreeRadius users mailing list > Subject: RE: New User and AD Question > > > McNutt, Justin M. wrote: > > > New member to the list, here. I have a question about AD > > computer-based > > > authentication. Basically, how is it accomplished? > > > > > http://deployingradius.com/documents/configuration/active_directory.ht > > ml > > > > It's pretty much the same as normal user authentication. > PEAP goes > > in, authentication goes out, never a miscommunication. :) > > If I recall, we used this walkthrough to get user > authentication to work (which it does), but it still doesn't > work for host authentication. This is keeping in mind that > users' creds come across as "NT-LIKE-DOMAIN\\USERID" but > hosts appear as "host\\computer.ad.domain.name" AND that > "NT-LIKE-DOMAIN" and "ad.domain.name" do not look at all alike. > > I'll re-read the link, though, just to be sure. > > > So... what goes wrong? > > For users, it's a number of things. Bad passwords. Attempts > to use EAP-TLS or EAP-MD5 (which we don't support). > Misspelled or missing domain names. That sort of thing. > > For the hosts, it Just Doesn't Work. I have yet to determine > why. (More research.) > > > Post the debug log from a failed session. > > Will do. (Pulling just the relevant bits out will be > difficult, given the verbosity of 'radiusd -X' but I have no > shortage of hosts attempting this, so it shouldn't take long.) > > --J > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
