Hi,
I've made some progress on this. The windows 7 machine is now contacting the
radius server, but its username starts with "host/" and radiator doesn't seem
to like that. Should the machine be sending some sort of different username? I
don't think I can get the request to the correct handler until I fix this
problem?
The network settings on the windows 7 machine are:
Security type: WPA2 Enterprise
encryption type: TKIP
Network authentication method: microsoft: smartcard or other certificate
(Settings-> Use a certificate on this computer, use simple certificate
selection)
advanced settings: 802.1x Specify authentication mode: Computer authentication.
Here is what I see on the radius logs:
User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
NAS-IP-Address = 132.236.115.218
NAS-Port = 1
NAS-Identifier = "cit.redrover.secure"
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "0014D1EA856B"
Called-Station-Id = "000B866222B0"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
Aruba-Essid-Name = "eduroam-test"
Aruba-Location-Id = "test-rhodes-745-ap"
Message-Authenticator =
]<179>:f<223><241><242>Z<13>:<204><222><150><130>J<181>
Tue Nov 15 12:41:42 2011: DEBUG: Handling request with Handler '', Identifier ''
Tue Nov 15 12:41:42 2011: INFO: Access rejected for
host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name
Tue Nov 15 12:41:42 2011: DEBUG: Packet dump:
*** Sending to 132.236.115.218 port 33004 ....
Code: Access-Reject
Identifier: 219
Authentic: <138>5<9><254><236><131>3<184>xLU?N4<139><225>
Attributes:
Reply-Message = "Request Denied"
Thanks again,
Joy
On 11/10/11 5:21 PM, "Heikki Vatiainen"
<h...@open.com.au<mailto:h...@open.com.au>> wrote:
On 11/09/2011 09:46 PM, Joy Veronneau wrote:
Is it possible for the radiator server to do machine-based
authentication (via certificate) to an Active Directory domain?
You may want to check if the really mean certificates, since machine
based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
machine joins to domain, a password and username is automatically
created and these can be used for machine based authentication. This is
also supported by Radiator by default too.
I have MSCHAPv2 working to our AD domain with username/password, but
now someone is asking about machine-based authentication. They are
currently doing this with an MS radius server and would like to
switch to our centrally managed radius server and central AD system.
I know that we would have to issue a new cert to the machine from the
central AD domain… but I'm not finding much about how to set up
radiator in my on-line research so far.
EAP-TLS, see goodies too, can be used here. Radiator can also do extra
checks for certs besides just checking if the cert is valid or not.
--
Heikki Vatiainen <h...@open.com.au<mailto:h...@open.com.au>>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
