[RADIATOR] eap peap + ntlm_auth
Heikki Vatiainen
hvn at open.com.au
Thu Feb 17 15:10:42 CST 2011
On 02/17/2011 05:56 AM, James wrote:
> I'm attempting to get EAP MSCHAPv2 (EAP PEAP) to work with wireless so
> that our Cisco Wireless LAN Controllers can bounce user authentication
> off of Radiator.
>
> My understanding is that I should be using the
> goodies/ntlm_eap_peap.cfg configuration file to start building off of.
>
> This file indicates that there are a few moving parts that need to be
> put in place for this to work properly:
>
> (a) smb.conf file must be fleshed out
> (b) ntlm_auth must function for EAP PEAP to work
>
> Correct?
Yes, if your user database is AD.
You could use e.g., plain LDAP if you have access to {nthash}passwords
or plain text passwords. So PEAP does not necessarily imply AD.
> I'm currently stuck at ntlm_auth not functioning at all. Take this
> output as an example:
>
> # ntlm_auth --username=testuser --domain=<domain> --password='blah'
> could not obtain winbind separator!
> Reading winbind reply failed! (0x01)
> : (0x0)
>
> A quick tcpdump shows that this command DOES NOT in any way generate
> any network traffic. Doh.
>
> I guess part of my confusion is whether or not I must "net join" my
> system to the domain. Is that a requirement?
Yes. You must have winbind running, no need for smbd or nmbd, and you
must do "net ads join ..." once.
> My smb.conf file look as follows:
>
> [global]
> # Replace 'OPEN' with the name of your Windows domain:
> workgroup = MYDOMAIN
> security = domain
> password server = *
>
> This is pretty much a one-line change from the smb.conf file found in
> the goodies directory.
>
> Any ideas on why this is failing?
Probably missing domain join is the main thing.
Also see this:
http://www.open.com.au/pipermail/radiator/2010-February/016091.html
Please let us know of your results. The settings seem to always differ
more or less between different environments.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list