[RADIATOR] eap auth against active directory
alan buxey
A.L.M.Buxey at lboro.ac.uk
Tue Oct 9 14:41:41 CDT 2012
Hi,
> We've decided against using winbind / ntlm_auth. Unfortunately our AD
> environment is so sporadic and bumpy that we're desperate for another
> solution.
that really should be fixed. WHY is it dumpy and sporadic. I know
a lot of people give MS grief about their product with various names
being levelled at them but AD , when operating properly, is a solid
bit of software/architecture.
if its not stable, then how will your RADIUS proxying to the NPS (which
lives in AD) be stable? Why will NPS be stable as that uses the same
AD backend.
avoiding the real cause of problems isnt the way to go here IMHO. you
may apply a band-aid but if the problem is an infected stump then
its not going to help in the long term.
> Unfortunately, however, when we proxy our EAP requests through Radiator,
> NPS sends an ACCESS-REJECT back without much logging. From what I can
> tell, NPS is not responding because the RADIUS message that is proxied
> through Radiator does not have a valid NAS port type.
the event log will contain an error code. look on MS technet NPS docs
for what that error code means. on NPS you will have policy/policies.
if the policys arent met, you will get a reject.. often it will be things
like NAS-Port-Type (which by default is 802.11-Wireless or such. you need
to either ensure that the testing tools send that attribute or
that you change your policies to something else...eg the request is EAP
or that the EAP type is PEAP or somesuch
use -N with eapol_test to send whatever you want...(well, so long as
eapol_test was built with the required VSA/TLV in the dictionary files!)
alan
More information about the radiator
mailing list