[RADIATOR] question about machine based authentication

Joy Veronneau jv11 at cornell.edu
Tue Nov 15 11:43:13 CST 2011


Hi,

I've made some progress on this. The windows 7 machine is now contacting the radius server, but its username starts with "host/" and radiator doesn't seem to like that. Should the machine be sending some sort of different username? I don't think I can get the request to the correct handler until I fix this problem?

The network settings on the windows 7 machine are:
Security type: WPA2 Enterprise
encryption type: TKIP
Network authentication method: microsoft: smartcard or other certificate (Settings-> Use a certificate on this computer, use simple certificate selection)
advanced settings: 802.1x Specify authentication mode: Computer authentication.


Here is what I see on the radius logs:

        User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
        NAS-IP-Address = 132.236.115.218
        NAS-Port = 1
        NAS-Identifier = "cit.redrover.secure"
        NAS-Port-Type = Wireless-IEEE-802-11
        Calling-Station-Id = "0014D1EA856B"
        Called-Station-Id = "000B866222B0"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
        Aruba-Essid-Name = "eduroam-test"
        Aruba-Location-Id = "test-rhodes-745-ap"
        Message-Authenticator = ]<179>:f<223><241><242>Z<13>:<204><222><150><130>J<181>

Tue Nov 15 12:41:42 2011: DEBUG: Handling request with Handler '', Identifier ''
Tue Nov 15 12:41:42 2011: INFO: Access rejected for host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name
Tue Nov 15 12:41:42 2011: DEBUG: Packet dump:
*** Sending to 132.236.115.218 port 33004 ....
Code:       Access-Reject
Identifier: 219
Authentic:  <138>5<9><254><236><131>3<184>xLU?N4<139><225>
Attributes:
        Reply-Message = "Request Denied"

Thanks again,

Joy


On 11/10/11 5:21 PM, "Heikki Vatiainen" <hvn at open.com.au<mailto:hvn at open.com.au>> wrote:

On 11/09/2011 09:46 PM, Joy Veronneau wrote:

Is it possible for the radiator server to do machine-based
authentication (via certificate) to an Active Directory domain?

You may want to check if the really mean certificates, since machine
based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
machine joins to domain, a password and username is automatically
created and these can be used for machine based authentication. This is
also supported by Radiator by default too.

I have MSCHAPv2 working to our AD domain with username/password, but
now someone is asking about machine-based authentication. They are
currently doing this with an MS radius server and would like to
switch to our centrally managed radius server and central AD system.
I know that we would have to issue a new cert to the machine from the
central AD domain… but I'm not finding much about how to set up
radiator in my on-line research so far.

EAP-TLS, see goodies too, can be used here. Radiator can also do extra
checks for certs besides just checking if the cert is valid or not.

--
Heikki Vatiainen <hvn at open.com.au<mailto:hvn at open.com.au>>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111115/2e892336/attachment.html 


More information about the radiator mailing list