Josh Hiner wrote: > Trying to configure eap ttls with mschapv2 using Freeradius version > Version 1.1.3 in Redhat enterprise Linux 5.
I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Upgrading will get you a lot. > I have configured everything and gotten free radius to authenticate off > /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have > run into is when I switch the securew2 windows xp eap-ttls client to use > the current logged on user credentials. Then, SecureW2 sends the > username in the format of DOMAIN/user (which in this case is HTN/josh). > Authentication then fails because of this extra domain part in the user. > Ok fine, I first enable the nt_domain_hack in the mschap module then I > configured realm ntdomain and simply set a default realm in proxy.conf > to strip off the domain part. Nope, that fails (output will be included > below). I also tried nostrip but that also fails obviously. Also tried > silently stripping the domain in pre-process in radiusd.conf. Auth is > successful but finally rejected because the user doesnt match the > original HTN/josh user sent. This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier. > Anyways, anyone know of how to get etc_smbpasswd module to work. I dont > want to use the users file (blech) even though it does work when I put > the user in there, and again, if I just supply the username and password > (and leave the domain part blank in SecureW2 ttls client) authentication > does work of /etc/samba/smbpasswd. Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html