Hi Bill, My problem is I am proxying user of a specfic domain to another radius server which is infact an Active directory.
Now the EAP packets proxied to AD are rejected straight away, Now my question is how should I setup my kerbeors so that the request goes to proxied AD. Secodly, The users coming to my network are using EAP for access authentication, therefore, how the EAP packets is treated if I set Default Auth-Type == kerberos. Additionally how the authentication request is forwarded to AD. Regards, Raza. --- Bill Schwanitz <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Cool Man wrote: > | Hi, > | > | > | Active Directory works with freeradius through, > but if > | you want to use it within a 802.1x/EAP environment > it > | won't work. Because you have to get out of Active > | Directory the NT Passwords. Active Directory > doesn't > | support this, so far I came to know. > | > > Suggestion: look at getting rlm_krb5 to work. If you > want an example config: > > /etc/krb5.conf: > > - --- begin --- > [logging] > ~ default = FILE:/var/log/krb5libs.log > ~ default = SYSLOG > ~ kdc = FILE:/var/log/krb5kdc.log > ~ kdc = SYSLOG > ~ admin_server = FILE:/var/log/kadmind.log > ~ admin_server = SYSLOG > > [libdefaults] > ~ ticket_lifetime = 24000 > ~ default_realm = DOMAIN.ORG > ~ dns_lookup_realm = false > ~ dns_lookup_kdc = false > > [realms] > ~ DOMAIN.ORG = { > ~ kdc = 1.2.3.4:88 > ~ admin_server = 1.2.3.4 > ~ } > > [domain_realm] > ~ .telsource.net = DOMAIN.ORG > ~ telsource.net = DOMAIN.ORG > > [kdc] > ~ profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > ~ pam = { > ~ debug = true > ~ ticket_lifetime = 36000 > ~ renew_lifetime = 36000 > ~ forwardable = true > ~ krb4_convert = false > ~ addressless = true > ~ } > - --- end --- > > then, in radiusd.conf: > > modules { > > ~ krb5 { > ~ service_principal = DOMAIN.ORG > ~ } > > } > > authenticate { > ~ # > ~ # krb5 / kerberos > ~ # > ~ krb5 > } > > /etc/users: > > DEFAULT Auth-Type = Kerberos > ~ Fall-Through = 1 > > | Is there any solution to this. > | > | Thanks, > | Raza. > | > | > | > | > | --- Thomas Lasswell <[EMAIL PROTECTED]> wrote: > | > | > |>Yes, you can do this, you have to use LDAP to > |>integrate the two, and > |>I've included a link that might be of some use... > |> > |>LDAP (Incorporates radius server with AD > |>Authentication) > |>http://www.siliconvalleyccie.com/linux-adv/ldap.htm > |> > |>-- > |>Thomas Lasswell > |>http://www.graphinesystems.com > |>[EMAIL PROTECTED] > |>[EMAIL PROTECTED] > |> > |>On Wed, 20 Oct 2004 05:36:46 -0700 (PDT), Cool Man > |><[EMAIL PROTECTED]> wrote: > |> > |>>Hi , > |>> > |>>I would like to know if freeradius works with > |> > |>Active > |> > |>>directory. If so how can I configure it. > |>> > |>>secondly, I want to use Active Directory within > |> > |>for > |> > |>>802.1x/EAP authentication. Is there any > |> > |>possibility to > |> > |>>establish this tak. > |>> > |>>Thanks, > |>>Raza. > |>> > |>> > |>>__________________________________ > |>>Do you Yahoo!? > |>>Read only the mail you want - Yahoo! Mail > |> > |>SpamGuard. > |> > |>>http://promotions.yahoo.com/new_mail > |>> > |>>- > |>>List info/subscribe/unsubscribe? See > |> > |>http://www.freeradius.org/list/users.html > |> > |>- > |>List info/subscribe/unsubscribe? See > |>http://www.freeradius.org/list/users.html > |> > | > | > | > | > | > | __________________________________ > | Do you Yahoo!? > | Y! Messenger - Communicate in real time. Download > now. > | http://messenger.yahoo.com > | > | - > | List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > | > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > Comment: Using GnuPG with Mozilla - > http://enigmail.mozdev.org > > iD8DBQFBd7qDJMsmxxUXIdYRArkPAKC6OBXfpkhcUoxgcBJRdYxpqlQ2hQCg2At6 > DQ+qEP+oPUTDJZIIePITkUM= > =Tbnh > -----END PGP SIGNATURE----- > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html