ntlm_auth and machine authentication (workaround)

Thu Oct 20 15:36:38 CEST 2005

See the list postings from earlier in the day...  If you grab the latest 
CVS snapshot, you don't have to use the Perl wrapper as the rlm_mschap 
module will do the name rewriting for you.

--Mike

Roy Hooper wrote:
> After spending a fair bit of time searching list archives and google results,
> I've managed to make ntlm_auth work for both users and machine accounts.
>
> This fix requires patching of Samba (thanks go to Mike McCauley of OSC/Radiator
> for the howto on the fix and to Matthew Alexander for pointing it out in
> samba's lists).  This patch may break Samba for other purposes, as I have only
> tested it to verify ntlm_auth can do both user and account challenge/response
> authentication for MSCHAPv2 for PEAP.
>
> The second part to the fix is an ntlm_auth wrapper that deals with DOMAIN\\user
> format usernames and translates WinXP "host/" machine names to NT machine
> usernames.
>
> ---BEGIN /usr/local/bin/ntlm_auth_hack---
> #!/usr/bin/perl
>
> my $ARGS = join(" ", at ARGV);
> if ($ARGS =~ m{--username=host/\S+}) {
>         $ARGS =~ s{--username=host/([^\s.]+)\S+}{--username $1\$};
> } else {
>         $ARGS =~ s{--username=([^\\]+)\\\\}{--domain=$1 --username=};
> }
> system("/usr/local/bin/ntlm_auth", split(" ", $ARGS));
> ---END /usr/local/bin/ntlm_auth_hack---
>
> And so the example is somewhere other than my head, The following returns the
> appropriate attributes to a Cisco AP to assign a particular vlan, in this case,
> vlan-266, when doing EAP.
>
> # Assign a VLAN to any user from this station
> DEFAULT         Calling-Station-Id == "1234.1234.1234"
>         Framed-Type = Framed,
>         Tunnel-Type:1 = VLAN,
>         Tunnel-Medium-Type:1 = IEEE-802,
>         Tunnel-Private-Group-ID:1 = 100
>
>
> And another fun one:
>
> # Assign a particular VLAN to a user from a particular station
> DOMAIN\\user  Calling-Station-Id == "1234.1234.1234"
>         Framed-Type = Framed,
>         Tunnel-Type:1 = VLAN,
>         Tunnel-Medium-Type:1 = IEEE-802,
>         Tunnel-Private-Group-ID:1 = 200
>
>
> Naturally the DEFAULT should come after the specific user match.
>
> begin 644 cli_netlogon.c.patch
> M+2TM(&]R:6<O<V%M8F$M,RXP+C(P8B]S;W5R8V4O<G!C7V-L:65N="]C;&E?
> M;F5T;&]G;VXN8PE7960 at 3V-T(#$R(#$W.C`S.C(S(#(P,#4**RLK('!A=&-H
> M960O<V%M8F$M,RXP+C(P8B]S;W5R8V4O<G!C7V-L:65N="]C;&E?;F5T;&]G
> M;VXN8PE4:'4 at 3V-T(#(P(#`R.C,Y.C(W(#(P,#4*0$`@+38Y.2PW("LV.3DL
> M-R!`0`H@("`@("`@("`@("`@("`@(%--0DY496YC<GEP="AP87-S=V]R9"P@
> M8VAA;"P@;&]C86Q?;G1?<F5S<&]N<V4I.PH@"B`@("`@("`@("`@("`@("`@
> M:6YI=%]I9%]I;F9O,B at F8W1R+F%U=&@N:60R+"!L<%]W;W)K9W)O=7`H*2P@
> M"BT@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`P+"`O*B!P87)A;5]C
> M=')L("HO"BL@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`P>#@P,"P@
> M+RH@<&%R86U?8W1R;"`J+PH@("`@("`@("`@("`@("`@("`@("`@("`@("`@
> M("`@,'AD96%D+"`P>&)E968L("\J($Q5240_("HO"B`@("`@("`@("`@("`@
> M("`@("`@("`@("`@("`@("!U<V5R;F%M92P at 8VQI+3YC;&YT7VYA;65?<VQA
> M<V at L(&-H86PL"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("!L;V-A
> M;%]L;5]R97-P;VYS92P@,C0L(&QO8V%L7VYT7W)E<W!O;G-E+"`R-"D["D!`
> M("TX,#`L-R`K.#`P+#<@0$`*("`@("`@("`@8W1R+G-W:71C:%]V86QU92`]
> M($Y%5%],3T=/3E]465!%.PH@"B`):6YI=%]I9%]I;F9O,B at F8W1R+F%U=&@N
> M:60R+"!D;VUA:6XL"BT)"2`@("`@(#`L("\J('!A<F%M7V-T<FP@*B\**PD)
> M("`@("`@,'@X,#`L("\J('!A<F%M7V-T<FP@*B\*(`D)("`@("`@,'AD96%D
> M+"`P>&)E968L("\J($Q5240_("HO"B`)"2`@("`@('5S97)N86UE+"!W;W)K
> M<W1A=&EO;E]N86UE7W-L87-H+"`H8V]N<W0@=6-H87(J*6-H86PL"B`)"2`@
> M("`@(&QM7W)E<W!O;G-E+F1A=&$L(&QM7W)E<W!O;G-E+FQE;F=T:"P@;G1?
> D<F5S<&]N<V4N9&%T82P@;G1?<F5S<&]N<V4N;&5N9W1H*3L*
> `
> end
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   