Hello James - I recently did a job for a large University which had the same problem.
After many, many problems with "winbind" we decided not to use it and we went with a hybrid solution. We eventually ended up proxying the EAP inner authentication using "EAP_PEAP_MSCHAP_Convert" to the Microsoft NPS RADIUS server. This kept all of the EAP processing with Radiator and only passing MSCHAP-V2 to NPS. See the example in "goodies/eap_peap_mschap_proxy.cfg". YMMV regards Hugh On 28 Sep 2012, at 23:38, James Zee <[email protected]> wrote: > All, > > I could use some pointers on where to go with an issue I'm having on our > Radiator servers for EAP authentication. I know that this question may border > a Samba-specific issue, but the Radiator community is pretty helpful so I'm > hoping someone may have run into something similar and can help me out. > > Because we're bouncing off of AD, we're relying on ntlm_auth to check a > user's credentials. Unfortunately our specific Active Directory environment > is *very* unstable with DCs randomly rebooting / being upgraded. This results > in issues when ntlm_auth is run, such as: > > (a) NTLM Could not authenticate user 'USERNAME': NT_STATUS_IO_TIMEOUT > (b) NTLM Could not authenticate user 'USERNAME': Access denied > > When things break badly and all ntlm_auth requests return one of these > errors, the only way to fix this is to unbind from the domain, then rebind > with a "net join". > > The big issue here is that Samba / winbind seems to tie itself to *one* > domain controller -- it doesn't seem to automatically query another DC when > something breaks with the DC ntlm_auth is currently using. > > Two big questions: > > ( i) is ntlm_auth the ONLY way to get AD / EAP authentication to work? From > what I've read, ntlm_auth is the only method because AD doesn't supply > passwords and even if it did the PW attribute is encrypted when it would have > to be in clear text, correct? > > (ii) since I assume ntlm_auth is the only way to easily authenticate, has > anyone found a robust way to depend on Samba / winbind? Maybe some sort of > load balancing? Possibly setting up Samba as a DC that then has the passwords > stored locally as well? > > Again, I know this question is pretty broad and may border a post that should > be in the Samba mailing list, but if someone could point me in the right > direction I'll head down that path. :) > > Thanks! > -james > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
