[Freeipa-users] FreeRadius Authentications (mschapv2)
William Graboyes
wgraboyes at cenic.org
Tue Jul 21 20:28:40 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Alexander, List,
I followed the steps on that blog post, however I am unable to
retrieve the ipaNTHash attribute either as that service account, nor
as the admin.
Am I missing something?
ldapsearch -Y GSSAPI uid=admin ipaNTHash
SASL/GSSAPI authentication started
SASL username: radius/edurad2.foo.bar at FOO.BAR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=foo,dc=bar> (default) with scope subtree
# filter: uid=admin
# requesting: ipaNTHash
#
# admin, users, compat, foo.bar
dn: uid=admin,cn=users,cn=compat,dc=foo,dc=bar
# admin, users, accounts, foo.bar
dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=bar
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
ldapsearch -Y GSSAPI uid=admin ipaNTHash
SASL/GSSAPI authentication started
SASL username: admin at FOO.BAR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=foo,dc=bar> (default) with scope subtree
# filter: uid=admin
# requesting: ipaNTHash
#
# admin, users, compat, foo.bar
dn: uid=admin,cn=users,cn=compat,dc=foo,dc=bar
# admin, users, accounts, foo.bar
dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=bar
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
Thanks,
Bill Graboyes
On 7/21/15 11:16 AM, Alexander Bokovoy wrote:
> On Mon, 20 Jul 2015, William Graboyes wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>>
>> Hi List,
>>
>>
>> I have run into a snag, I figured I would start here and move
>> forward. I have been searching around for the past 3 or 4 hours
>> looking for some solution to this the issue that I am having.
>>
>> We are doing 802.1x against our freeipa servers. While Kerberos
>> auth is working perfectly fine (when used from an android or
>> linux device) however when it comes to Macs (they strive to be
>> different -_-) when using EAP-TTLS (which everything else is
>> perfectly happy to use chap or pap) Mac only uses mschapv2 when
>> using EAP-TTLS.
>>
>> I don't have an active directory to run against, nor do I have
>> samba services running (why would I, there are a total of 5
>> windows boxes in the entire environment.
>>
>> I was wondering if there was some form of a FreeIPA solution to
>> this form of problem (something I may be missing) that will
>> handle the NTLM auth on a linux system.
>>
>> I have found some things that are brutishly old, like kcrap, but
>> nothing seems to fit the bill. I am not against installing
>> samba somewhere (even on the radius servers) to handle this form
>> of authentication, I am just no sure which direction to go for
>> handling this form of auth against FreeIPA. I would much prefer
>> to use PAM or Kerberos, it just doesn't look like that is going
>> to work in this situation.
> Check this blog post: http://firstyear.id.au/entry/22
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVrqt4AAoJEJFMz73A1+zrskwP/iBNfTH1TpoZFWITf8xlCheO
7Yk99V1/4gGgFttc1V92OMRDAHVHvD5B2apqPRd6ObWVd5sdFzfjVNWGNzLp8/N8
HkxSezd4BiNZCagVQXCdbr26ATSI/jTD2exEchpUPv1UtH2snId/1ZaCyFu3Cj0h
OuY+AVJc93WE0VlpY0N+drhr5aNb6CKZ3lTyvxVJ8FaLND6Pb5quFOP//S1SCqJl
QVO5V5hi0IAYZ/f+eZG4Z6ZtF2n5TYaqYD3sax8khdIqpSL4q28TvGUcAAOa3DmX
cg3sV+a2foB/Al9stzQ4Qo9i48JlesjOZMX6JfmpBzMXxCItnz3ArnWyIwAFa2xF
f9BnFzq5zqdx94Ee5nDiLiiisn8uHkUlzNx4HbKSQ60ulSWih2S/qDyFNxN0O59c
bn8MLxATUiDMGhJ4dgljxs8ZRuzh97z7B2MhMRHVjlo8oIWvjOpDJ+9I7GzUZrtO
rS4r78adYwLBcXsaOFlC+ZSeirH1muD6Lx/s+/znaCWHE54a6MONhrA3wSSM73qk
Czv+y5qG09QJJEztDWTVU8dhsCnXnd/5AUXhsscBc8lNqma3eCmnpOK1ngmLQwxt
8RP5ijK1J7sdAald5TW/buN1tHQH3H8vzYbL0r/GdVTsnfp2NXh9NuZJsFVL7Db1
h9cMHUo4NzVwAxcWP5jS
=x9GB
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list