On Feb 19, 2009, at 11:11 AM, Tomas wrote:
Do I need to change my modules/mschap config? Currently I have:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%
{Stripped-User-Name:-%{User-Name:-None}} --challenge=%
{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
As Ivan
On Thu, 2009-02-19 at 10:23 -0600, Mike Loosbrock wrote:
> Tomas, it sounds like you want the following behavior:
>
> 1.) machine boots up
> 2.) machine 802.1x authenticates, opening switch port for AD
> communication
> 3.) user enters credentials into OS login screen
> 4.) machine authenticates
On Feb 19, 2009, at 8:28 AM, Tomas wrote:
My problem is that my windows box has no way of communicating with AD
server to verify user credentials for initial login screen (reason for
that is because switch port state is uncontrolled and no other but
EAPOL
traffic can pass through)
Is there any
>My problem is that my windows box has no way of communicating with AD
>server to verify user credentials for initial login screen (reason for
>that is because switch port state is uncontrolled and no other but EAPOL
>traffic can pass through)
>Is there any way setting my windows box so that user g
On Thu, 2009-02-19 at 13:34 +0100, t...@kalik.net wrote:
> I am not sure what the problem is from your description. If it's
> complaining about the domain try using alternative for username -
> %{mschap:User-Name}. That is documented above the ntlm_auth line in
> mschap module. Try and see if that
>My question now is, how do I login to AD using a new user that has never
>logged on to the box before? I'm getting an error saying domain AD
>unavailable, but if I use username that I used to login before 802.1x
>enforcement all is looking good...
>
I am not sure what the problem is from your des
On Thu, 2009-02-19 at 11:33 +0100, t...@kalik.net wrote:
> I have news for you - you haven't done any of this:
>
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Configuration_of_radiusd.conf
>
> > Module: Instantiating mschap
> > mschap {
> > use_mppe = yes
> >
>I believe I did all I had to enable my freeradius server to chat to
>windows AD
>
>
>I did changes to my FreeRADIUS configuration according
>http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I have news for you - you haven't done any of this:
http://wiki.freeradius.org/Fre
Hi,
I believe I did all I had to enable my freeradius server to chat to
windows AD
##
Kerberos:
r...@radius:/home/radius# kinit administra...@ad.lab.com
Password for administra...@ad.lab.com:
r...@radius:/home/radius# klist
Ticket cache: F
Thanks for that, I'll get samba and winbind working from freeradius
wiki.
Cheers,
Tomas
On Wed, 2009-02-18 at 08:54 -0600, Danner, Mearl wrote:
> Install samba and winbind. That's the proper way to pass auth to AD.
> Forget likewise-open.
>
> It works quite well the way that's documented in the
Install samba and winbind. That's the proper way to pass auth to AD.
Forget likewise-open.
It works quite well the way that's documented in the wiki. You'll
probably waste a lot of time doing it any other way.
Mearl
> -Original Message-
> From: freeradius-users-
> bounces+jmdanner=samfor
>Why should one do that, especially if the samba docs say "Use password server
>option only with security = server"?
>
http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2553159
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradi
Tomáš Janeček wrote:
> MYNTDOMAIN is just a fake Domain name I pasted in the log. But ntlm_auth
> on server uses my real domain...
>
> I see the error announced by ntlm_auth, but don't know how to repair it.
> When I run ntlm_auth --request-nt-key --domain=MYREALNTDOMAIN
> --username=user and prov
MYNTDOMAIN is just a fake Domain name I pasted in the log. But ntlm_auth
on server uses my real domain...
I see the error announced by ntlm_auth, but don't know how to repair it.
When I run ntlm_auth --request-nt-key --domain=MYREALNTDOMAIN
--username=user and provide the password, everything
Hi,
> Now I went back to the default configuration and made only a few changes
> (according to
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO).
>
> Everything looks much better now, but I still get the "wrong password"
> error.
ntlm_auth isnt happy - the ouput shows
Hi.
Now I went back to the default configuration and made only a few changes
(according to
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO).
Everything looks much better now, but I still get the "wrong password"
error.
I think, that the problem is in this part of t
Tomás wrote:
> Everything looks good. I can see the request from AP and authentication
> activities it entails between FreeRadius and AD. But the authentication
> is never successful.
...
> auth: No authenticate method (Auth-Type) configuration found for the
> request:
You have deleted all refe
Hi.
Because we can authenticate against AD only (not only, but...) using
MS-CHAP, I had to extend the system to its final form (I don't know any
MS-CHAP testing utility):
[WinXP] -> [AP] -> [FreeRadius] -> [AD server]
(ie. I'm using wireless interface in Windows to connect to AP and
authenti
Am 20.05.2008 um 16:20 schrieb Arran Cudbard-Bell:
Dean, Barry wrote:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use
MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that
EAP-TTLS with MD5 inner auth and EAP-MD5 as well
Nicolas Goutte wrote:
Am 20.05.2008 um 16:05 schrieb Dean, Barry:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use
MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that
EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP
Dean, Barry wrote:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use
MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that EAP-TTLS
with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all
failed.
S
Am 20.05.2008 um 16:05 schrieb Dean, Barry:
Alan DeKok said:
It is impossible to use CHAP to authenticate to AD. You MUST use
MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that
EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with
CHAP inne
Alan DeKok said:
> It is impossible to use CHAP to authenticate to AD. You MUST use
> MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that EAP-TTLS
with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all
failed.
So you have explained why EA
Hi,
> I see a progress, because I have 0xC06A error in my AD log (wrong
> password). That is a good message, because radius server (understand: my
> wrong configuration of the server) finally communicates with AD.
> Hurray!
yay! now , dont forgert, depending on how you talk to
you rAD< you
Hi.
I didn't want to say, that this howto is somehow wrong or bad... It just
didn't worked in my case. (understand: I did/I'm doing something wrong)
Now I'm focusing on what you wrote in first e-mail: do MS-CHAP instead
of CHAP for AD auth. (Thanks for advice)
I see a progress, because I ha
Hi,
> Yes, something like that, but working. I've walked through this exact
> article about 10 times during last two months, but never made it:-(
>
> I'm really looking for working howto for months...
I checked through it and had a working config.
alan
-
List info/subscribe/unsubscribe? See http
Tomáš Janeček wrote:
> Yes, something like that, but working. I've walked through this exact
> article about 10 times during last two months, but never made it:-(
>
> I'm really looking for working howto for months...
Please explain what's going wrong. Use debug output.
If the NAS is doing
Yes, something like that, but working. I've walked through this exact
article about 10 times during last two months, but never made it:-(
I'm really looking for working howto for months...
--
Tomáš Janeček
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do you mean something like:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
Have a nice day!
Am 20.05.2008 um 12:54 schrieb Tomáš Janeček:
Thanks for reply.
Is there any specific HOW-TO?
--
Tomáš Janeček
-
List info/subscribe/unsubscribe? See http://www.freeradius
Thanks for reply.
Is there any specific HOW-TO?
--
Tomáš Janeček
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tomáš Janeček wrote:
> I would like to authenticate my Windows XP wireless clients against
> Active Directory server via Freeradius.
,,,
> What doesn't work:
> When I try to bind phase 1.) and 2.) (ie. send request from winXP to
> radius and let radius to authenticate against AD), it returns:
>
>
Rutger Beyen wrote:
> So where do I specify them and how should a query look like ?
For simple mapping of LDAP attributes to RADIUS, see 'ldap.attrmap'.
For complex queries, see doc/variables.txt, and just put the LDAP
queries into an dynamically expanded string:
DEFAULT
Reply-Messag
mailing list
Subject: Re: freeradius and active directory
Rutger Beyen wrote:
> If I have to contact the AD with the ldap protocol for the vlan, why can't
I
> just use that way to verify the user's credentials?
AD can verify credentials, if FreeRADIUS sees a clear-text passwo
Rutger Beyen wrote:
> If I have to contact the AD with the ldap protocol for the vlan, why can't I
> just use that way to verify the user's credentials?
AD can verify credentials, if FreeRADIUS sees a clear-text password in
the RADIUS request.
Otherwise, it's impossible. AD is *not* an LDAP
al Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
us.org] On Behalf Of Josh Howlett
Sent: Thursday, December 20, 2007 10:36 PM
To: FreeRadius users mailing list
Cc: Josh Howlett
Subject: RE: freeradius and active directory
> Using Ntlm_auth from the samba server is not an opti
> Using Ntlm_auth from the samba server is not an option. I
> want to access the AD with the ldap protocol for
> compatibility reasons.
You can't.
> Next, I want to place the logged on
> user is a specific VLAN. So I have to retrieve the user's
> vlan from the AD. Is there any way to configu
On Thu, Dec 20, 2007 at 09:44:25PM +0100, Rutger Beyen wrote:
> Hello,
> I'm very glad I found a list like this. I hope some of you can help me with
> this problem.
>
> I want to set up a project with 802.1X, so users accessing my cisco switch
> first have to log on. I found out that I could use
hi
search for "freeRadius_AD_tutorial" at google... is a good howto...
sers
elkono
King, Michael schrieb:
Yes.
It's called ntlm_auth
You need samba installed to use it, and join the freeradius computer to
the domain. (Yes, you can join Linux to an active directory domain)
-Origina
Yes.
It's called ntlm_auth
You need samba installed to use it, and join the freeradius computer to
the domain. (Yes, you can join Linux to an active directory domain)
> -Original Message-
> From:
> [EMAIL PROTECTED]
> g
> [mailto:[EMAIL PROTECTED]
> adius.org] On Behalf Of Philippe Ba
You're making this more complicated than it is (and please don't talk
about me like I'm not here).
To authenticate plain credentials against AD is no different than
authenticating against any other LDAP server except for the fact that
your uid attribute is different. So, read the docs for the
5 more minutes of testing,
I tired
ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}
On a whim, and it worked (removed domain from ntlm_auth)
Sorry for the excess question.
-
List info/subscribe/unsubscribe? See http
OTECTED] On Behalf Of
Michael Griego
Sent: Tuesday, April 26, 2005 8:12 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: FreeRADIUS and Active Directory
Hey, Michael,
I'm betting your ntlm_auth command, where it uses the username, looks
like this:
--username=%{Stripped-User-N
Hey, Michael,
I'm betting your ntlm_auth command, where it uses the username, looks
like this:
--username=%{Stripped-User-Name:-%{User-Name:-None}}
This is the default. Try changing your ntlm_auth line in your
radiusd.conf to something like this:
ntlm_auth --request-nt-key --username=%{mschap:
Ok, scratch half of my last message. I left it configured for TLS.
PEAP isn't working for me.
I'm getting this failure:
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 14
rlm_mschap: No User-Password configured. Cannot create LM-Password.
The --disable-shared fixed that problem, and I replaced all the
certificates and I was successfully able to logon via TLS, and low and
behold. PEAP works now too.
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ject: Re: FreeRADIUS and Active Directory
"King, Michael" <[EMAIL PROTECTED]> wrote:
> /usr/local/sbin/radiusd: relocation error:
> /usr/local/lib/rlm_eap_peap-1.0.2.so: undefined symbol: eaptls_process
Yuck. You're running an unfriendly OS.
The simplest way to
"King, Michael" <[EMAIL PROTECTED]> wrote:
> /usr/local/sbin/radiusd: relocation error:
> /usr/local/lib/rlm_eap_peap-1.0.2.so: undefined symbol: eaptls_process
Yuck. You're running an unfriendly OS.
The simplest way to fix this is to re-build & re-install the server via:
$ ./configure --di
p.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Michael Brown
Sent: Tuesday, April 26, 2005 5:05 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: FreeRADIUS and Active Directory
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- From the comments in
I have already set it to "yes", but it doesn`t work in my case.
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> - From the comments in radiusd.conf (under the mschap config):
>
> # Windows sends us a username in the form of
> # DOMAIN\user, but sends the challenge response
>
I cleared the check box, but the problem still exists. I think the problem
isn't the client, because I have used the same scenario and the same
configuration with the IAS Radius Server from Microsoft and all worked
well, but I won't use the IAS for this project. It is important for me to
get freera
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- From the comments in radiusd.conf (under the mschap config):
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
#
My first FreeRadius Post, and I don't think I can answer your problem,
but I think I can clarify the problem.
When you configure the MSCHAPv2 properties in the Windows client, you
are selecting "Automatically Use my Windows Username and Password (And
Domain if available)" You get the error you po
On Thu, 21 Oct 2004, Alan DeKok wrote:
> > Additionally how the authentication request is
> > forwarded to AD.
>
> FreeRADIUS can do authentication to a Windows domain via ntlm_auth.
> It's not quite the same thing, but it's close.
Another, possibly simpler, solution is to install IAS on the Win
Cool Man <[EMAIL PROTECTED]> wrote:
> My problem is I am proxying user of a specfic domain
> to another radius server which is infact an Active
> directory.
Active Directory is not a RADIUS server.
Could you say which RADIUS server you're actually using?
> Now the EAP packets proxied to AD
Hi Bill,
My problem is I am proxying user of a specfic domain
to another radius server which is infact an Active
directory.
Now the EAP packets proxied to AD are rejected
straight away, Now my question is how should I setup
my kerbeors so that the request goes to proxied AD.
Secodly, The us
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael,
This is more out of curosity than anything ( I have not looked at the
ntlm_auth module ... for the record ):
What does the ntlm_auth module give you over the kerberos authentication
for user auth. Does the ntlm_auth module give you the ability
For using PEAP with FreeRADIUS and Active Directory, you'll need to use
the ntlm_auth functionality in the mschap module.
--Mike
On Thu, 2004-10-21 at 06:36, Cool Man wrote:
> Hi,
>
>
> Active Directory works with freeradius through, but if
> you want to use it within a 802.1x/EAP environment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cool Man wrote:
| Hi,
|
|
| Active Directory works with freeradius through, but if
| you want to use it within a 802.1x/EAP environment it
| won't work. Because you have to get out of Active
| Directory the NT Passwords. Active Directory doesn't
| supp
Hi,
Active Directory works with freeradius through, but if
you want to use it within a 802.1x/EAP environment it
won't work. Because you have to get out of Active
Directory the NT Passwords. Active Directory doesn't
support this, so far I came to know.
Is there any solution to this.
Thanks,
Yes, you can do this, you have to use LDAP to integrate the two, and
I've included a link that might be of some use...
LDAP (Incorporates radius server with AD Authentication)
http://www.siliconvalleyccie.com/linux-adv/ldap.htm
--
Thomas Lasswell
http://www.graphinesystems.com
[EMAIL PROTECTED]
60 matches
Mail list logo