[RADIATOR] eap peap + ntlm_auth

James jtp at nc.rr.com
Thu Feb 17 15:34:11 CST 2011 

Thank you both. I will try this soon. :)

I appreciate the quick and detailed responses!

-james

On Thu, Feb 17, 2011 at 16:21, Rianto Wahyudi <R.Wahyudi at latrobe.edu.au> wrote:
> Hi James,
>
>
> Make sure your computer joined to domain :
> I follow the following instruction: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
>
> You don't need nsswitch or pam modification. As long as you successfully joined to the domain you are OK.
> If you have problem joining your machine to domain, the best place to look for help is samba mailing list (http://lists.samba.org)
>
> In regards to Radiator, here is my simplified client + handler config. I hope it help.
>
> Regards,
> Rianto
>
> <Client 10.0.0.1>
>        Identifier              Eduroam-Server
>        Secret                  xxxxx
> </Client>
>
> <Handler Client-Identifier=Eduroam-Server, TunnelledByTTLS=1,Realm=/(latrobe|ltu).*/i>
>        RewriteUsername s/^\@.*//
>        # Auth against AD with ntlm_auth
>        <AuthBy NTLM>
>                EAPType MSCHAP-V2
>                Domain LTU
>                UsernameMatchesWithoutRealm
>        </AuthBy>
> </Handler>
>
> #OUTER - CERTIFICATES
> <Handler Client-Identifier=Eduroam-Server>
>        <AuthBy FILE>
>                Filename %D/users
>                EAPType PEAP,TTLS,TLS,LEAP
>                EAPAnonymous %{User-Name}
>                EAPTLS_CAPath /etc/radiator/certs/ca
>                EAPTLS_CertificateChainFile /etc/radiator/certs/ssl-combined
>                EAPTLS_CertificateType PEM
>                EAPTLS_PrivateKeyFile /etc/radiator/certs/server.key
>                EAPTLS_MaxFragmentSize 1000
>                AutoMPPEKeys
>        </AuthBy>
> </Handler>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of James
> Sent: Friday, 18 February 2011 6:21 AM
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] eap peap + ntlm_auth
>
> Bump...and help would be greatly appreciated. :)
>
> -james
>
> On Wed, Feb 16, 2011 at 22:56, James <jtp at nc.rr.com> wrote:
>> I'm attempting to get EAP MSCHAPv2 (EAP PEAP) to work with wireless so
>> that our Cisco Wireless LAN Controllers can bounce user authentication
>> off of Radiator.
>>
>> My understanding is that I should be using the
>> goodies/ntlm_eap_peap.cfg configuration file to start building off of.
>>
>> This file indicates that there are a few moving parts that need to be
>> put in place for this to work properly:
>>
>> (a) smb.conf file must be fleshed out
>> (b) ntlm_auth must function for EAP PEAP to work
>>
>> Correct?
>>
>> I'm currently stuck at ntlm_auth not functioning at all. Take this
>> output as an example:
>>
>> # ntlm_auth --username=testuser --domain=<domain> --password='blah'
>> could not obtain winbind separator!
>> Reading winbind reply failed! (0x01)
>> :  (0x0)
>>
>> A quick tcpdump shows that this command DOES NOT in any way generate
>> any network traffic. Doh.
>>
>> I guess part of my confusion is whether or not I must "net join" my
>> system to the domain. Is that a requirement?
>>
>> My smb.conf file look as follows:
>>
>> [global]
>>   # Replace 'OPEN' with the name of your Windows domain:
>>   workgroup = MYDOMAIN
>>   security = domain
>>   password server = *
>>
>> This is pretty much a one-line change from the smb.conf file found in
>> the goodies directory.
>>
>> Any ideas on why this is failing?
>>
>> -james
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>

More information about the radiator mailing list