[RADIATOR] eap auth against active directory
Hugh Irvine
hugh at open.com.au
Sat Sep 29 03:30:07 CDT 2012
Hello James -
I recently did a job for a large University which had the same problem.
After many, many problems with "winbind" we decided not to use it and we went with a hybrid solution.
We eventually ended up proxying the EAP inner authentication using "EAP_PEAP_MSCHAP_Convert" to the Microsoft NPS RADIUS server.
This kept all of the EAP processing with Radiator and only passing MSCHAP-V2 to NPS.
See the example in "goodies/eap_peap_mschap_proxy.cfg".
YMMV
regards
Hugh
On 28 Sep 2012, at 23:38, James Zee <jameszee13 at gmail.com> wrote:
> All,
>
> I could use some pointers on where to go with an issue I'm having on our Radiator servers for EAP authentication. I know that this question may border a Samba-specific issue, but the Radiator community is pretty helpful so I'm hoping someone may have run into something similar and can help me out.
>
> Because we're bouncing off of AD, we're relying on ntlm_auth to check a user's credentials. Unfortunately our specific Active Directory environment is *very* unstable with DCs randomly rebooting / being upgraded. This results in issues when ntlm_auth is run, such as:
>
> (a) NTLM Could not authenticate user 'USERNAME': NT_STATUS_IO_TIMEOUT
> (b) NTLM Could not authenticate user 'USERNAME': Access denied
>
> When things break badly and all ntlm_auth requests return one of these errors, the only way to fix this is to unbind from the domain, then rebind with a "net join".
>
> The big issue here is that Samba / winbind seems to tie itself to *one* domain controller -- it doesn't seem to automatically query another DC when something breaks with the DC ntlm_auth is currently using.
>
> Two big questions:
>
> ( i) is ntlm_auth the ONLY way to get AD / EAP authentication to work? From what I've read, ntlm_auth is the only method because AD doesn't supply passwords and even if it did the PW attribute is encrypted when it would have to be in clear text, correct?
>
> (ii) since I assume ntlm_auth is the only way to easily authenticate, has anyone found a robust way to depend on Samba / winbind? Maybe some sort of load balancing? Possibly setting up Samba as a DC that then has the passwords stored locally as well?
>
> Again, I know this question is pretty broad and may border a post that should be in the Samba mailing list, but if someone could point me in the right direction I'll head down that path. :)
>
> Thanks!
> -james
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list