Re: freeradius with samba domain and port-access (Christian)
"Thanks for help. I think so too, but I have no idea how or even if it is possible. The WXPSP2 Client with user authentication is not able to authanticate against the freeradius. There is not even a request arriving on the freeradius. If I toggle to "Identify with ComputerInformation if possible" there is at least a request arriving at the radiusserver. It takes some time, but it works. After the Authentication with computer Information, its not possible to authenticate a second time with the user information. How do i have to configure the client correctly to realize userauthentication? Or do I need to reconfigure the server?" I know it sounds stupid, but you have set up the correct radius type for port based authentication ? There's two on the HP procurves, Radius-CHAP Radius-EAP Do show authentication Via the CLI and it should give you something looking like this. * *Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Enabled | Login Login Enable Enable Access Task | PrimarySecondary PrimarySecondary --- + -- -- -- -- Console | Radius Local Radius Local Telnet | Local None Local None Port-Access | EapRadius Webui| Local None Local None SSH | Radius Local Radius Local Web-Auth | ChapRadius MAC-Auth| ChapRadius Need to make sure Port-Access is set to EapRadius, else the switch won't pass the eap messages through correctly. If it's on Chap use config aaa authentication port-access eap-radius write mem --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with samba domain and port-access (Christian)
The Windows clients can be configured to log on with machine credentials. For this, they will need accounts in AD. This has been tested to work with FreeRADIUS for a while. I haven't done it myself, but search the net & docs. It does work. Once that happens, the switch thinks that the machine is authenticated, and may not re-do authentication for the user. There's very little you can do in this case. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with samba domain and port-access (Christian)
Christian Hohmann wrote: >> Now the Problem: Some workstations are added to a samba managed domain and can only login on the samba service. >> It seems to me, that the winxpsp2 supplicant first wants to authenticate at >> the samba server. But the switch doesn?t allow the connection, because the >> port is closed until the eap-authentication is handled. >The machines also need to log in using EAP. >Alan DeKok. Thanks for help. I think so too, but I have no idea how or even if it is possible. The WXPSP2 Client with user authentication is not able to authanticate against the freeradius. There is not even a request arriving on the freeradius. If I toggle to "Identify with ComputerInformation if possible" there is at least a request arriving at the radiusserver. It takes some time, but it works. After the Authentication with computer Information, its not possible to authenticate a second time with the user information. How do i have to configure the client correctly to realize userauthentication? Or do I need to reconfigure the server? Regards - Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with samba domain and port-access
Christian Hohmann wrote: > Now the Problem: Some workstations are added to a samba managed domain and can only login on the samba service. > It seems to me, that the winxpsp2 supplicant first wants to authenticate at > the samba server. But the switch doesn�t allow the connection, because the > port is closed until the eap-authentication is handled. The machines also need to log in using EAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with samba domain and port-access
Dear List-Members, Im trying to setup a port access control using freeradius, but I cant succeed so far. Im looking for a solution fitting the following points: Port authentication trough an hp switch, dynamic vlan assignment by the freeradius server. I solved the problem for clients that have a local account. The freeradius deals with peap + mschapv2 and the passwords are located in the users file. Later the smbpasswd file should be used. The Switch is configured for port-access-authentication and the ports are closed until the supplicant has authenticated correctly. The winxpsp2 clients are configured to use their login names and password for authentication. Now the Problem: Some workstations are added to a samba managed domain and can only login on the samba service. It seems to me, that the winxpsp2 supplicant first wants to authenticate at the samba server. But the switch doesnt allow the connection, because the port is closed until the eap-authentication is handled. I really hope that you can give me a hint. Regards - Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html