[SOLVED] Re: Cisco Aironet 1240AG, PEAP and Active directory
Thanks guy, it's working fine now with the version 3.2.15 of samba For anyone have problems with ntlm_auth OK but no access-accept receive after that, use this version of samba. Freeradius 2.1.8 samba 3.2.5 Cisco Aironet 1240G Johan Meiring a écrit : Abdessamad BARAKAT wrote: I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Search the list. You'll get lots of messages about it. As far as I Remember it needs to be 3.2 and below. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
On 09/02/10 20:42, Trevor Jennings wrote: Just out of curiosity, is there a reason why Samba is used in the AD authentication? Is that the only option for FreeRadius? I ask because I heard that ntlm_auth was not that stable. no problem wth stability here - version 3.2.x - where did you read/hear that it was not that stable? ntlm_auth does its work thousands of times per minute during our busy times. you need to use ntlm_auth because you are doing challenge response vs the AD - LDAP wont do the work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Aironet 1240AG, PEAP and Active directory
Hi guys, I need your help for a strange problem. I want to authenticate users connected to a Cisco Aironet 1240 AG with their AD account and sometimes it's working and sometimes not and now doesn't want to work without changing something on the configuration... The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. The windows part. works correctly (kinit, net join and ntlm_auth) I use the virtual server inner-tunnel for handle EAP/PEAP stuff, listen on different ports (auth 1814/ acct 1815) The aironet and the freeradius are synchronized with the same ntp server. Freeradius 2.1.8 samba 3.3.10 Debian 3.1 You can see a below the detail of a full session between the aironet and the freeradius. Many thanks for any tips. rad_recv: Access-Request packet from host 10.0.0.77 port 1645, id=172, length=146 User-Name = AD_DOMAIN\\user_test_wifi Framed-MTU = 1400 Called-Station-Id = 001c.f661.2861 Calling-Station-Id = 0018.de10.fcef Service-Type = Login-User Message-Authenticator = 0xed65b0ebeb73a88b8467cc86843891e8 EAP-Message = 0x0201001501424f5552424f4e5c61626172616b6174 NAS-Port-Type = Wireless-802.11 NAS-Port = 879 NAS-Port-Id = 879 NAS-IP-Address = 10.0.0.77 Tue Feb 9 19:31:31 2010 : Info: server inner-tunnel { Tue Feb 9 19:31:31 2010 : Info: +- entering group authorize {...} Tue Feb 9 19:31:31 2010 : Info: ++[mschap] returns noop Tue Feb 9 19:31:31 2010 : Info: [eap] EAP packet type response id 1 length 21 Tue Feb 9 19:31:31 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns updated Tue Feb 9 19:31:31 2010 : Info: Found Auth-Type = EAP Tue Feb 9 19:31:31 2010 : Info: +- entering group authenticate {...} Tue Feb 9 19:31:31 2010 : Info: [eap] EAP Identity Tue Feb 9 19:31:31 2010 : Info: [eap] processing type tls Tue Feb 9 19:31:31 2010 : Info: [tls] Requiring client certificate Tue Feb 9 19:31:31 2010 : Info: [tls] Initiate Tue Feb 9 19:31:31 2010 : Info: [tls] Start returned 1 Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns handled Tue Feb 9 19:31:31 2010 : Info: } # server inner-tunnel Sending Access-Challenge of id 172 to 10.0.0.77 port 1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x630766f363056b37ef480b6cd7986d15 Tue Feb 9 19:31:31 2010 : Info: Finished request 0. Tue Feb 9 19:31:31 2010 : Debug: Going to the next request Tue Feb 9 19:31:31 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.77 port 1645, id=173, length=149 User-Name = AD_DOMAIN\\user_test_wifi Framed-MTU = 1400 Called-Station-Id = 001c.f661.2861 Calling-Station-Id = 0018.de10.fcef Service-Type = Login-User Message-Authenticator = 0x412cd5decbd056652c741d532d91f91e EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 879 NAS-Port-Id = 879 State = 0x630766f363056b37ef480b6cd7986d15 NAS-IP-Address = 10.0.0.77 Tue Feb 9 19:31:31 2010 : Info: server inner-tunnel { Tue Feb 9 19:31:31 2010 : Info: +- entering group authorize {...} Tue Feb 9 19:31:31 2010 : Info: ++[mschap] returns noop Tue Feb 9 19:31:31 2010 : Info: [eap] EAP packet type response id 2 length 6 Tue Feb 9 19:31:31 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns updated Tue Feb 9 19:31:31 2010 : Info: Found Auth-Type = EAP Tue Feb 9 19:31:31 2010 : Info: +- entering group authenticate {...} Tue Feb 9 19:31:31 2010 : Info: [eap] Request found, released from the list Tue Feb 9 19:31:31 2010 : Info: [eap] EAP NAK Tue Feb 9 19:31:31 2010 : Info: [eap] EAP-NAK asked for EAP-Type/peap Tue Feb 9 19:31:31 2010 : Info: [eap] processing type tls Tue Feb 9 19:31:31 2010 : Info: [tls] Initiate Tue Feb 9 19:31:31 2010 : Info: [tls] Start returned 1 Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns handled Tue Feb 9 19:31:31 2010 : Info: } # server inner-tunnel Sending Access-Challenge of id 173 to 10.0.0.77 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x630766f362047f37ef480b6cd7986d15 Tue Feb 9 19:31:31 2010 : Info: Finished request 1. Tue Feb 9 19:31:31 2010 : Debug: Going to the next request Tue Feb 9 19:31:31 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.77 port 1645, id=174, length=223 User-Name = AD_DOMAIN\\user_test_wifi Framed-MTU = 1400 Called-Station-Id = 001c.f661.2861 Calling-Station-Id = 0018.de10.fcef Service-Type = Login-User Message-Authenticator =
Re: Cisco Aironet 1240AG, PEAP and Active directory
Abdessamad BARAKAT wrote: The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. Change Samba. It's a bug in Samba. i.e. install a different version of Samba (downgrade, etc.) until it starts working again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
Just out of curiosity, is there a reason why Samba is used in the AD authentication? Is that the only option for FreeRadius? I ask because I heard that ntlm_auth was not that stable. Cheers, - Trevor On Tue, Feb 9, 2010 at 3:36 PM, Alan DeKok al...@deployingradius.com wrote: Abdessamad BARAKAT wrote: The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. Change Samba. It's a bug in Samba. i.e. install a different version of Samba (downgrade, etc.) until it starts working again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
Trevor Jennings wrote: Just out of curiosity, is there a reason why Samba is used in the AD authentication? Is that the only option for FreeRadius? Samba is the only option for *anyone* to do MS-CHAP authentication against AD. Remember: AD isn't an LDAP server. LDAP servers let you query for the password. AD doesn't let you do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Thanks Alan Alan DeKok a écrit : Abdessamad BARAKAT wrote: The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. Change Samba. It's a bug in Samba. i.e. install a different version of Samba (downgrade, etc.) until it starts working again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
Abdessamad BARAKAT wrote: I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Search the list. You'll get lots of messages about it. As far as I Remember it needs to be 3.2 and below. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Aironet 1240AG, PEAP and Active directory
I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Version 3.0.35 is working for me. I went through the downgrade process quite a few months ago and settled on that version. It's been fine ever since. Regards, Leighton --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html