[RADIATOR] eap peap + ntlm_auth

Rianto Wahyudi R.Wahyudi at latrobe.edu.au
Thu Feb 17 15:21:21 CST 2011 

Hi James, 


Make sure your computer joined to domain : 
I follow the following instruction: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

You don't need nsswitch or pam modification. As long as you successfully joined to the domain you are OK.
If you have problem joining your machine to domain, the best place to look for help is samba mailing list (http://lists.samba.org)

In regards to Radiator, here is my simplified client + handler config. I hope it help.

Regards,
Rianto  

<Client 10.0.0.1>
        Identifier              Eduroam-Server
        Secret                  xxxxx
</Client>

<Handler Client-Identifier=Eduroam-Server, TunnelledByTTLS=1,Realm=/(latrobe|ltu).*/i>
        RewriteUsername s/^\@.*//
        # Auth against AD with ntlm_auth
        <AuthBy NTLM>
                EAPType MSCHAP-V2
                Domain LTU
                UsernameMatchesWithoutRealm
        </AuthBy>
</Handler>

#OUTER - CERTIFICATES
<Handler Client-Identifier=Eduroam-Server>
        <AuthBy FILE>
                Filename %D/users
                EAPType PEAP,TTLS,TLS,LEAP
                EAPAnonymous %{User-Name}
                EAPTLS_CAPath /etc/radiator/certs/ca
                EAPTLS_CertificateChainFile /etc/radiator/certs/ssl-combined
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile /etc/radiator/certs/server.key
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
        </AuthBy>
</Handler>








-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of James
Sent: Friday, 18 February 2011 6:21 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] eap peap + ntlm_auth

Bump...and help would be greatly appreciated. :)

-james

On Wed, Feb 16, 2011 at 22:56, James <jtp at nc.rr.com> wrote:
> I'm attempting to get EAP MSCHAPv2 (EAP PEAP) to work with wireless so
> that our Cisco Wireless LAN Controllers can bounce user authentication
> off of Radiator.
>
> My understanding is that I should be using the
> goodies/ntlm_eap_peap.cfg configuration file to start building off of.
>
> This file indicates that there are a few moving parts that need to be
> put in place for this to work properly:
>
> (a) smb.conf file must be fleshed out
> (b) ntlm_auth must function for EAP PEAP to work
>
> Correct?
>
> I'm currently stuck at ntlm_auth not functioning at all. Take this
> output as an example:
>
> # ntlm_auth --username=testuser --domain=<domain> --password='blah'
> could not obtain winbind separator!
> Reading winbind reply failed! (0x01)
> :  (0x0)
>
> A quick tcpdump shows that this command DOES NOT in any way generate
> any network traffic. Doh.
>
> I guess part of my confusion is whether or not I must "net join" my
> system to the domain. Is that a requirement?
>
> My smb.conf file look as follows:
>
> [global]
>   # Replace 'OPEN' with the name of your Windows domain:
>   workgroup = MYDOMAIN
>   security = domain
>   password server = *
>
> This is pretty much a one-line change from the smb.conf file found in
> the goodies directory.
>
> Any ideas on why this is failing?
>
> -james
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list