[RADIATOR] eap auth against active directory
Hugh Irvine
hugh at open.com.au
Fri Oct 12 01:32:53 CDT 2012
We had a similar problem at the University - it turned out to be NPS deciding that it was a person not a machine authenticating and rejecting it out of hand.
If you could send us a copy of the configuration file and the associated trace 4 debug we'll take a look.
regards
Hugh
On 12 Oct 2012, at 17:11, James Zee <jameszee13 at gmail.com> wrote:
> Thanks again for your helpful responses.
>
> We seem to have everything working by proxying requests to NPS. We're running into one final issue, however, that I can't seem to figure out.
>
> Host-based authentication is failing. Specifically, Radiator is throwing an error that indicates:
>
>
> for user host/blah.somewhere.com: PEAP Authentication Failure
>
> Any thoughts on why this may be happening? The only difference between the ntlm_auth wireless Radiator configuration and this one is the RADIUS proxy directive.
>
> -james
>
>
> On Wed, Oct 10, 2012 at 5:10 AM, Heikki Vatiainen <hvn at open.com.au> wrote:
> On 10/09/2012 09:44 PM, James Zee wrote:
>
> > Unfortunately, however, when we proxy our EAP requests through Radiator,
> > NPS sends an ACCESS-REJECT back without much logging. From what I can
> > tell, NPS is not responding because the RADIUS message that is proxied
> > through Radiator does not have a valid NAS port type.
> >
> > Shouldn't the proxied request include a NAS port type? Is there a way to
> > "fake" or append a NAS port type to the RADIUS request?
>
> You can take the NAS-Port-Type from the original, outer RADIUS request
> with this:
>
> AddToRequest NAS-Port-Type=%{OuterRequest:NAS-Port-Type}
>
> Add the option to the Handlers that take care of requests marked with
> TunnelledByPEAP=1 and ConvertedFromEAPMSCHAPV2=1
>
> That should take care of NAS-Port-Type problem if you want or need to
> continue proyxing to NPS.
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list