[RADIATOR] eap auth against active directory

Hugh Irvine hugh at open.com.au
Mon Oct 15 00:53:32 CDT 2012 

Hi James -

As mentioned previously, we will need to see a copy of the Radiator configuration file (no secrets) together with a trace 4 debug showing what is happening.

And you should check the NPS logs of course to see what is happening at that end.

In the case of the University, we were handling the EAP conversation on the Radiator side, and only proxying the inner MS-CHAP authentication.

Unfortunately, NPS considers MS-CHAP authentications to be for people, not machines, so for the machines we had to proxy the entire EAP conversation.

hope that helps

regards

Hugh


On 15 Oct 2012, at 16:37, James Zee <jameszee13 at gmail.com> wrote:

> It is indeed NPS sending Radiator an ACCESS-REJECT.
> 
> I know this is completely non-Radiator related, but do you happen to remember what had to be done on NPS to get this to work? I've been tinkering for hours without success.
> 
> For the record, proxying to NPS works *much* better than ntlm_auth in our extremely unstable AD environment.
> 
> -james
> 
> 
> On Fri, Oct 12, 2012 at 2:32 AM, Hugh Irvine <hugh at open.com.au> wrote:
> 
> We had a similar problem at the University - it turned out to be NPS deciding that it was a person not a machine authenticating and rejecting it out of hand.
> 
> If you could send us a copy of the configuration file and the associated trace 4 debug we'll take a look.
> 
> regards
> 
> Hugh
> 
> 
> On 12 Oct 2012, at 17:11, James Zee <jameszee13 at gmail.com> wrote:
> 
> > Thanks again for your helpful responses.
> >
> > We seem to have everything working by proxying requests to NPS. We're running into one final issue, however, that I can't seem to figure out.
> >
> > Host-based authentication is failing. Specifically, Radiator is throwing an error that indicates:
> >
> >
> > for user host/blah.somewhere.com: PEAP Authentication Failure
> >
> > Any thoughts on why this may be happening? The only difference between the ntlm_auth wireless Radiator configuration and this one is the RADIUS proxy directive.
> >
> > -james
> >
> >
> > On Wed, Oct 10, 2012 at 5:10 AM, Heikki Vatiainen <hvn at open.com.au> wrote:
> > On 10/09/2012 09:44 PM, James Zee wrote:
> >
> > > Unfortunately, however, when we proxy our EAP requests through Radiator,
> > > NPS sends an ACCESS-REJECT back without much logging. From what I can
> > > tell, NPS is not responding because the RADIUS message that is proxied
> > > through Radiator does not have a valid NAS port type.
> > >
> > > Shouldn't the proxied request include a NAS port type? Is there a way to
> > > "fake" or append a NAS port type to the RADIUS request?
> >
> > You can take the NAS-Port-Type from the original, outer RADIUS request
> > with this:
> >
> >   AddToRequest NAS-Port-Type=%{OuterRequest:NAS-Port-Type}
> >
> > Add the option to the Handlers that take care of requests marked with
> > TunnelledByPEAP=1 and ConvertedFromEAPMSCHAPV2=1
> >
> > That should take care of NAS-Port-Type problem if you want or need to
> > continue proyxing to NPS.
> >
> > Thanks,
> > Heikki
> >
> > --
> > Heikki Vatiainen <hvn at open.com.au>
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> > NetWare etc.
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> hugh at open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list