Re: PEAP - AD Disabled
Hi, Isn't the same certificate used in the TLS tunnel for TTLS? Anyhow, it appears to be something to do with the person who configed Samba. They clustered the servers and the privileges changes in /var/cache/samba/winbind_privileged. That directory has been one of the biggest problems we've had so far. distro package updates will often blat such files - did the server recently get a SAMBA update? if so, then the post-install section changes the permissions of that link directory. everyone in our team here is aware of that - our patch notificaton system has big warning notices at the top of any update notifications so as to ensure that the yum/up2date/apt-get process doesnt just get done blindly. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - AD Disabled
Have you checked the certificate? That's one major difference. ntlm-auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP - AD Disabled
On 25/06/10 14:21, Nathan McDavit-Van Fleet wrote: Okay, I’ve had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the “PEAP-AD” portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven’t found any interesting log information. You just get a “Login incorrect” when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Permissions? Including unix perms on the winbind socket, and perhaps SELinux labelling. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - AD Disabled
Isn't the same certificate used in the TLS tunnel for TTLS? Anyhow, it appears to be something to do with the person who configed Samba. They clustered the servers and the privileges changes in /var/cache/samba/winbind_privileged. That directory has been one of the biggest problems we've had so far. Thanks, Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Danner, Mearl Sent: Friday, June 25, 2010 9:34 AM To: FreeRadius users mailing list Subject: RE: PEAP - AD Disabled Have you checked the certificate? That's one major difference. ntlm- auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP + AD
If you read the FAQ is says that you can't do CHAP with LDAP. [speculation] But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. [/end speculation] In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kartthik Raghunathan Sent: Thursday, May 25, 2006 12:17 AM To: freeradius-users@lists.freeradius.org Subject: PEAP + AD Am trying to authenticate my windows supplicant (ie. XP with sp2) with peap against the windows 2000 AD. But in the error log i could see Accept-Reject error message. So i need a clarification here, is't necessary to get samba on with active directory to do PEAP + AD authentication. sorry for silly q? here ! -- ___ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + AD
Kartthik Raghunathan [EMAIL PROTECTED] wrote: Am trying to authenticate my windows supplicant (ie. XP with sp2) with peap against the windows 2000 AD. But in the error log i could see Accept-Reject error message. So i need a clarification here, is't necessary to get samba on with active directory to do PEAP + AD authentication. No. Read radiusd.conf for how to integrate FreeRADIUS with AD. Look for domain controller. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + AD
Chris Liles [EMAIL PROTECTED] wrote: But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. Yes. There are hooks in AD to do just that, but the software implementing the hooks has to be installed on every domain controller. In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP + AD
AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. That is right, I forgot that even if you are on a ssl/tls ldap connection as an administrator, you can't pull the password back from AD. What hooks are you talking about? The extensions for unix services? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, May 25, 2006 11:36 AM To: FreeRadius users mailing list Subject: Re: PEAP + AD Chris Liles [EMAIL PROTECTED] wrote: But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. Yes. There are hooks in AD to do just that, but the software implementing the hooks has to be installed on every domain controller. In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + AD
Chris Liles [EMAIL PROTECTED] wrote: What hooks are you talking about? The extensions for unix services? No. There are API's in Windows to catch password changes, and pass them through your own code. That code can then *also* write the password to a different part of the AD schema. For this to work, it requires: - someone to understand write the code - the code to run on *every* member of an AD forest - the AD schema to be updated to include the new ntpassword attribute - AD ACL's put in place to limit access to that attribute to FreeRADIUS - FreeRADIUS to be configured to look for that attribute. It shouldn't be hard, but convincing admins to change their AD schema, and run third-party code on their DC's is often hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html