On 03/03/11 11:52, Matt Langthorpe wrote:
Hi list,
I'm pretty sure this issue is straight forward but I've searched the
list and cant come up with an answer.
I'm usuing freeradius 2.19 on cent OS 5.5
Im trying to auth users from a NAC box (Bradford campus manager)
against an AD domain using freeradius.
All works fine when I point an AP at freeradius, but things fail
when using our NAC to forward requests to FreeRadius. I suspect
the problem is that the NAC is trying to use PAP, but im not sure how
to really resolve the problem.
PAP requires a password or password hash from a database/ldap, or an
external "oracle" (script or service) that checks the password.
Your LDAP isn't telling FreeRadius the password:
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
...so when the "pap" module runs:
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user Failed to authenticate the user.
If you're using AD, the LDAP server will not (cannot) give you a
password or password hash. You'll therefore need to use Samba & the
"ntlm_auth" helper binary (in "plaintext" mode, not MSCHAP) to do this.
In recent versions of FreeRadius there is a file defining an "exec" module:
/etc/raddb/modules/ntlm_auth
...edit the "MYDOMAIN" in that file to the correct value, and you can
use it like this:
authorize {
...
# everything else, then right at the end
update control {
# If Auth-Type isn't already set (i.e. "=" versus ":=") set it
Auth-Type = ntlm_auth
}
}
authenticate {
Auth-Type ntlm_auth {
ntlm_auth
}
}
Obviously Samba & Winbind will need to be configured, installed and the
radius server joined to the domain.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
