PEAP Machine Authentication

Wed Oct 19 19:18:19 CEST 2005

I'm happy to announce that 802.1x/PEAP machine authentication with the 
Windows built in supplicant is now possible using FreeRADIUS.  In the 
past, machine authentication was only possible by proxying machine 
authentication requests to another RADIUS server capable of handling 
them, such as IAS.  FreeRADIUS, along with some updates to Samba, is now 
capable of handling these authentications internally.

Here's a synopsis on how to get this working right now:

The first item required to get machine authentication is a patch to the 
Samba source.  This patch sets a set of flags used when sending the 
authentication request to the domain such that workstation logons are 
allowed.  I expect that the Samba team will include the ability to set 
these flags at runtime in a future release.  You can find the details of 
the patching required at 
http://www.open.com.au/archives/radiator/2005-10/msg00037.html.  It's a 
very simple patch to the samba/source/rpc_client/cli_netlogon.c file.  
In the cli_netlogon_sam_network_logon() function (be sure not to edit 
the cli_netlogon_sam_logon() function by mistake), there is a call to 
the init_id_info2() function.  The param_ctrl flags parameter to this 
function sets all flags to 0.  In order to enable machine 
authentication, they should be set to 0x800 
(MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT).  If you change this and 
recompile/reinstall Samba, your ntlm_auth command will now be able to 
handle machine authentications.  As noted above, it is expected that 
these flags will become manipulable at runtime in some future release of 
Samba, so this fix is for those who need this functionality now.

Next, when using ntlm_auth, the User-Name received in the request has to 
be rewritten.  Windows supplicants send the machine name in the form of 
host/fully.qualified.domain.name.  When you provide the user name to 
ntlm_auth, it must be in the form of machineshortname$, the SAM account 
form of the name.  I have updated the rlm_mschap module so that a call 
to the xlat function mschap:User-Name will now properly format the 
machine name as above as well as format usernames.  In addition, a call 
to the xlat function mschap:NT-Domain will also grab the domain name 
from the host/ formatted username.  Therefore, with this updated code, 
the only change to the configuration in the radiusd.conf is to ensure 
that your ntlm_auth line looks like the following:
ntlm_auth = "/path/to/ntlm_auth --username=%{mschap:User-Name} 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00} 
--domain=%{mschap:NT-Domain:-DEFAULTDOMAIN}

The updated rlm_mschap module is available in CVS now.  You can grab the 
nightly CVS snapshot (the usual caveat of unstable code applies).  In 
addition, for those familiar with CVS, it is available in the 
release_1_0 branch for use with the stable source tree.  And, finally, 
it will be included in the next stable release of FreeRADIUS.

--Mike