[RADIATOR] eap auth against active directory
hugh at open.com.au
Sat Sep 29 03:30:07 CDT 2012
Hello James -
I recently did a job for a large University which had the same problem.
After many, many problems with "winbind" we decided not to use it and we went with a hybrid solution.
We eventually ended up proxying the EAP inner authentication using "EAP_PEAP_MSCHAP_Convert" to the Microsoft NPS RADIUS server.
This kept all of the EAP processing with Radiator and only passing MSCHAP-V2 to NPS.
See the example in "goodies/eap_peap_mschap_proxy.cfg".
On 28 Sep 2012, at 23:38, James Zee <jameszee13 at gmail.com> wrote:
> I could use some pointers on where to go with an issue I'm having on our Radiator servers for EAP authentication. I know that this question may border a Samba-specific issue, but the Radiator community is pretty helpful so I'm hoping someone may have run into something similar and can help me out.
> Because we're bouncing off of AD, we're relying on ntlm_auth to check a user's credentials. Unfortunately our specific Active Directory environment is *very* unstable with DCs randomly rebooting / being upgraded. This results in issues when ntlm_auth is run, such as:
> (a) NTLM Could not authenticate user 'USERNAME': NT_STATUS_IO_TIMEOUT
> (b) NTLM Could not authenticate user 'USERNAME': Access denied
> When things break badly and all ntlm_auth requests return one of these errors, the only way to fix this is to unbind from the domain, then rebind with a "net join".
> The big issue here is that Samba / winbind seems to tie itself to *one* domain controller -- it doesn't seem to automatically query another DC when something breaks with the DC ntlm_auth is currently using.
> Two big questions:
> ( i) is ntlm_auth the ONLY way to get AD / EAP authentication to work? From what I've read, ntlm_auth is the only method because AD doesn't supply passwords and even if it did the PW attribute is encrypted when it would have to be in clear text, correct?
> (ii) since I assume ntlm_auth is the only way to easily authenticate, has anyone found a robust way to depend on Samba / winbind? Maybe some sort of load balancing? Possibly setting up Samba as a DC that then has the passwords stored locally as well?
> Again, I know this question is pretty broad and may border a post that should be in the Samba mailing list, but if someone could point me in the right direction I'll head down that path. :)
> radiator mailing list
> radiator at open.com.au
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator