Yeah, I'm not sure I want to use LDAP (clear text) for authentication. I'm
starting to think that I can just use md5 passwords in a database or a flat
file to manage it, there's really not that many "administrative" users for the
cisco equipment. It's either that or pony up several thousands for the Cisco
ACS server...it was worth beating my head against a wall for a few days though
:-)
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rupert
Finnigan
Sent: Wednesday, December 03, 2008 3:03 PM
To: FreeRadius users mailing list
Subject: Re: Beating a dead horse, or freeradius 2.1.1 and active
directory
Following on from this, I've just had a read of my radiusd.conf file.
I'd start by having a look at the ldap module, specifically around the:
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
bit.. This might provide the answer you're looking for.
Rupes
2008/12/3 Rupert Finnigan <[EMAIL PROTECTED]>
Well, yes - it does proxy them fine.. But is the request from
the switch a MS-CHAP one? I don't think it is..
The switch will be sending a PAP request, not a MS-CHAP one,
and so you'll need to configure FreeRADIUS to take the PAP request and auth
that against AD. As the switch isn't sending a MS-CHAP request then FreeRADIUS
can't process it as such, and so MS-CHAP module returns noop. Unfortunately,
I'm not clued up enough on FreeRADIUS to help you with this config, but in
essence this is what I think you need to do to achieve your goal.
2008/12/3 Ben Little <[EMAIL PROTECTED]>
yeah I'm trying to authenticate and authorize
administrative tty session to the cisco equipment itself, not 802.1x for
clients on the network. If it's not possible I guess it's not possible. It
does kind of make me wonder how the Cisco ACS works though because that
'proxies' radius or tacacs+ authen and author requests to active directory
quite nicely.
________________________________
From:
freeradius-users-bounces+blittle=skylight.com <http://skylight.com/>
@lists.freeradius.org <http://lists.freeradius.org/>
[mailto:freeradius-users-bounces+blittle
<mailto:freeradius-users-bounces%2Bblittle> =skylight.com
<http://skylight.com/> @lists.freeradius.org <http://lists.freeradius.org/> ]
On Behalf Of Rupert Finnigan
Sent: Wednesday, December 03, 2008 2:04 PM
To: FreeRadius users mailing list
Subject: Re: Beating a dead horse, or
freeradius 2.1.1 and active directory
Hi,
I'm not sure if what you're doing is going to
work.. You're trying to use MS-CHAP to handle terminal session logins, I
think.. Most of the MS-CHAP advise given so far is to get EAP working from a
client, say a XP laptop doing 802.1X to gain access to a switchport.
Someone will definitely correct me if I'm
wrong, but I thought you could only do PAP (or CHAP???) for Authentication to a
Terminal line. In which case, you either have to use the plain old users file,
use a database such as mysql, or (probably a better solution) use the LDAP
module to bind to the AD with the supplied username and password, and allow
access if successful.
Like I say - I'm really unsure on this one, but
as no-ones replied for a while I though it might help...
Thanks,
Rupes
2008/12/3 Ben Little <[EMAIL PROTECTED]>
PAP is working:
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password
"secretz"
[pap] Using clear text password
"secretz"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 21 to
*.*.*.* port 1645
Cisco-AVPair =
"shell:priv-lvl=15"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 21 with
timestamp +431
Ready to process requests.
For some reason though, even when
configured to do so, the authentication attempt coming from a switch or router
is not being forwarded to the KDC. I have followed that how-to now to the
letter and Active Directory is not working, however active directory and krb
are both working fine on the server;
[wbinfo -a test%test output]
plaintext password authentication failed
Could not authenticate user test%test
with plaintext password
challenge/response password
authentication succeeded
I'm not sure what I am missing here?
Why isn't the login attempt on the switch being forwarded to active directory?
Is there something within the switch that meeds to be set? A radius attribute
maybe to identify the login attempt as mschap?
>
> Howto will show you how to set up and
test with pap first:
>
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
