I have a question about peap method, do I need to import the client certificate from the freeradius' CA server to the winxp client?or just import the server certificate?
2005/11/27, Alhagie Puye <[EMAIL PROTECTED]>: > Thanks Dusty. That's very helpful. > > I have one little problem. I was hoping someone can shed some light on > it. > > For the Active Directory security, I need to specify the username as > "Domain\user" instead of just "user" for the identity in radiusd.conf > > "[EMAIL PROTECTED]" doesn't seem to work. > > Here is the output: > > rad_recv: Access-Request packet from host 192.168.42.1:50667, id=146, > length=57 > User-Name = "user" > User-Password = "password" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 4 > modcall[authorize]: module "preprocess" returns ok for request 4 > modcall[authorize]: module "chap" returns noop for request 4 > modcall[authorize]: module "mschap" returns noop for request 4 > rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 4 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 4 > users: Matched entry DEFAULT at line 153 > modcall[authorize]: module "files" returns ok for request 4 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for apuye > radius_xlat: '(uid=apuye)' > radius_xlat: 'dc=ad,dc=puyenet,dc=com' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to orion.puyenet.com:389, authentication 0 > rlm_ldap: bind as > [EMAIL PROTECTED],ou=users,dc=ad,dc=puyenet,dc=com/password to > orion.puyenet.com:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: LDAP login failed: check identity, password settings in ldap > section of radiusd.conf > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns fail for request 4 > modcall: group authorize returns fail for request 4 > Finished request 4 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 4 ID 146 with timestamp 4388ab87 > Nothing to do. Sleeping until we see a request. > > The radiusd.conf file looks like this for the ldap section: > ldap { > server = "orion.puyenet.com" > # identity = "cn=admin,o=My Org,c=UA" > identity = > "[EMAIL PROTECTED],ou=users,dc=ad,dc=puyenet,dc=com" > password = password > #basedn = "o=My Org,c=UA" > basedn = "dc=ad,dc=puyenet,dc=com" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > # base_filter = "(objectclass=radiusprofile)" > > > Thanks in advance. > > Alhagie Puye - Network Engineer > Datawave Group of Companies > (604)295-1817 > > > >-----Original Message----- > > >From: [EMAIL PROTECTED] > > >[mailto:[EMAIL PROTECTED] On > > >Behalf Of Dusty Doris > > >Sent: November 25, 2005 9:43 AM > > >To: FreeRadius users mailing list > > >Subject: RE: Freeradius How to integrate Active > > >Directory[ADIntegrationWindowsXP NTLM Tutorial] > > > > > > > > >> So, the question again is if the VPN Concentrator is only sending > > >> username and password, do I need ntml_auth or ms-chap? FreeRADIUS > > >> doesn't have any usernames and password and will query Active > > >> Directory for the actual authentication. > > >> > > >> Thanks, > > >> > > > > > >If the packet is merely containing plaintext username and > > >password, then you can probably just use rlm_ldap against AD > > >and hit it directly. Just need to setup a user with read > > >access to the directory to do the initial bind with and > > >search of the user for authorization. Then the user will be > > >authenticated by doing a bind against AD with the > > >username/password in the packet. > > > > > >BTW - I use freeradius w/ ldap for cisco VPN concentrators > > >as well, although its openldap instead of AD. To pass back > > >the class attribute, you must modify ldap.attrmap and > > >specify the reply item of Class to match what you call it in > > >the directory. > > > > > >eg: > > > > > >replyItem Class radiusClass > > > > > >Then in the directory, you have > > > > > >dn: cn=someuser,... > > >... > > >radiusClass: "OU=myvpngroup;" > > > > > >So, for AD, you'll need to extend the schema and add an > > >attribute for this. Or if you already have something that > > >you can use, just modify ldap.attrmap to know what it is. > > > > > >-Dusty Doris > > >- > > >List info/subscribe/unsubscribe? See > > >http://www.freeradius.org/list/users.html > > > > > > Disclaimer: This message (including any attachments) is confidential, may be > privileged and is only intended for the person to whom it is addressed. If > you have received it by mistake please notify the sender by return e-mail and > delete this message from your system. Any unauthorized use or dissemination > of this message in whole or in part is strictly prohibited. E-mail > communications are inherently vulnerable to interception by unauthorized > parties and are susceptible to change. We will use alternate communication > means upon request. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- He is nothing - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html