Hi Bill,
My problem is I am proxying user of a specfic domain
to another radius server which is infact an Active
directory.
Now the EAP packets proxied to AD are rejected
straight away, Now my question is how should I setup
my kerbeors so that the request goes to proxied AD.
Secodly, The users coming to my network are using EAP
for access authentication, therefore, how the EAP
packets is treated if I set Default
Auth-Type == kerberos.
Additionally how the authentication request is
forwarded to AD.
Regards,
Raza.
--- Bill Schwanitz <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Cool Man wrote:
> | Hi,
> |
> |
> | Active Directory works with freeradius through,
> but if
> | you want to use it within a 802.1x/EAP environment
> it
> | won't work. Because you have to get out of Active
> | Directory the NT Passwords. Active Directory
> doesn't
> | support this, so far I came to know.
> |
>
> Suggestion: look at getting rlm_krb5 to work. If you
> want an example config:
>
> /etc/krb5.conf:
>
> - --- begin ---
> [logging]
> ~ default = FILE:/var/log/krb5libs.log
> ~ default = SYSLOG
> ~ kdc = FILE:/var/log/krb5kdc.log
> ~ kdc = SYSLOG
> ~ admin_server = FILE:/var/log/kadmind.log
> ~ admin_server = SYSLOG
>
> [libdefaults]
> ~ ticket_lifetime = 24000
> ~ default_realm = DOMAIN.ORG
> ~ dns_lookup_realm = false
> ~ dns_lookup_kdc = false
>
> [realms]
> ~ DOMAIN.ORG = {
> ~ kdc = 1.2.3.4:88
> ~ admin_server = 1.2.3.4
> ~ }
>
> [domain_realm]
> ~ .telsource.net = DOMAIN.ORG
> ~ telsource.net = DOMAIN.ORG
>
> [kdc]
> ~ profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> ~ pam = {
> ~ debug = true
> ~ ticket_lifetime = 36000
> ~ renew_lifetime = 36000
> ~ forwardable = true
> ~ krb4_convert = false
> ~ addressless = true
> ~ }
> - --- end ---
>
> then, in radiusd.conf:
>
> modules {
>
> ~ krb5 {
> ~ service_principal = DOMAIN.ORG
> ~ }
>
> }
>
> authenticate {
> ~ #
> ~ # krb5 / kerberos
> ~ #
> ~ krb5
> }
>
> /etc/users:
>
> DEFAULT Auth-Type = Kerberos
> ~ Fall-Through = 1
>
> | Is there any solution to this.
> |
> | Thanks,
> | Raza.
> |
> |
> |
> |
> | --- Thomas Lasswell <[EMAIL PROTECTED]> wrote:
> |
> |
> |>Yes, you can do this, you have to use LDAP to
> |>integrate the two, and
> |>I've included a link that might be of some use...
> |>
> |>LDAP (Incorporates radius server with AD
> |>Authentication)
>
|>http://www.siliconvalleyccie.com/linux-adv/ldap.htm
> |>
> |>--
> |>Thomas Lasswell
> |>http://www.graphinesystems.com
> |>[EMAIL PROTECTED]
> |>[EMAIL PROTECTED]
> |>
> |>On Wed, 20 Oct 2004 05:36:46 -0700 (PDT), Cool Man
> |><[EMAIL PROTECTED]> wrote:
> |>
> |>>Hi ,
> |>>
> |>>I would like to know if freeradius works with
> |>
> |>Active
> |>
> |>>directory. If so how can I configure it.
> |>>
> |>>secondly, I want to use Active Directory within
> |>
> |>for
> |>
> |>>802.1x/EAP authentication. Is there any
> |>
> |>possibility to
> |>
> |>>establish this tak.
> |>>
> |>>Thanks,
> |>>Raza.
> |>>
> |>>
> |>>__________________________________
> |>>Do you Yahoo!?
> |>>Read only the mail you want - Yahoo! Mail
> |>
> |>SpamGuard.
> |>
> |>>http://promotions.yahoo.com/new_mail
> |>>
> |>>-
> |>>List info/subscribe/unsubscribe? See
> |>
> |>http://www.freeradius.org/list/users.html
> |>
> |>-
> |>List info/subscribe/unsubscribe? See
> |>http://www.freeradius.org/list/users.html
> |>
> |
> |
> |
> |
> |
> | __________________________________
> | Do you Yahoo!?
> | Y! Messenger - Communicate in real time. Download
> now.
> | http://messenger.yahoo.com
> |
> | -
> | List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> |
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
> http://enigmail.mozdev.org
>
>
iD8DBQFBd7qDJMsmxxUXIdYRArkPAKC6OBXfpkhcUoxgcBJRdYxpqlQ2hQCg2At6
> DQ+qEP+oPUTDJZIIePITkUM=
> =Tbnh
> -----END PGP SIGNATURE-----
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
