[RADIATOR] eap auth against active directory

Hugh Irvine hugh at open.com.au
Wed Oct 17 17:39:23 CDT 2012 

Hello James -

The problem is here:


	• Mon Oct 15 01:20:47 2012 564812: DEBUG: Packet dump:
	• *** Received from 10.136.235.240 port 32768 ....
	• Code:       Access-Request
	• Identifier: 47
	• Authentic:  %wa<14><212>v<209>S<143>a<132>z<21><194>5`
	• Attributes:

	•     User-Name = "/DLAR-PBBZNB8.some.tld"


The User-Name attribute does not have "host" at the beginning, so you never use the host-specific Handler.

What is happening in the debug is this inner authentication is being converted and only the MS-CHAP is being proxied, leading to the problem I have described previously with NPS thinking this is a user not a machine.

regards

Hugh


On 18 Oct 2012, at 05:05, James Zee <jameszee13 at gmail.com> wrote:

> Hugh,
> 
> I had previously responded to the thread with the requested information, but the email response was too large and seems to have gotten lost in the mailing list approval process.
> 
> I've pasted the requested information here:
> 
> http://pastebin.com/rbXq2Y5Y
> 
> It's worth noting I've made some progress. The link below has the requested information (new configuration file) where a username beginning with "host" is immediately proxied to NPS.
> 
> http://pastebin.com/059A7Zk7
> 
> I feel I'm getting closer.
> 
> Two questions:
> 
> (a) is anything wrong with this machine authentication handler or does it look like the correct way to proxy these sorts of requests?
> 
> (b) is there a way to force Radiator to log information about the RADIUS request even though we're proxying it via RADIUS to NPS?
> 
> I'm still not having luck with machine-based authentication, but I believe this may be a configuration issue on NPS.
> 
> Thoughts appreciated.
> 
> Thanks!
> -james
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list