PEAP Machine Auth without NTLM or LDAP

Sayantan Bhowmick sbhowmick at novell.com
Mon Jan 30 16:16:25 CET 2006 

Thanks for the replies.
Regards,
-Sayantan

>>> On Mon, Jan 30, 2006 at  6:55 pm, in message
<43DE13C1.8000802 at imperial.ac.uk>,
p.mayers at imperial.ac.uk wrote: 
> Sayantan Bhowmick wrote:
>> HI,
>>     I am trying a similar setup with some variation. 
>> 
>>> If there is no PDC, there's no domain, so there *is* no machine
>> account.
>> 
>> I have setup a Samba PDC and am using Novell eDirectory as the back-
end
>> store. In this scenario is it possible to perform PEAP- MSCHAPv2
machine
>> authentication by adding the WinXP machine to the Samba PDC and
without
>> using ntlm_auth. Any help will be much appreciated.
> 
> Maybe. It's not a common use- case.
> 
> There should be an account in the domain of MACHINENAME$ -  it should

> have an ntPassword LDAP attribute (or whatever it's called in your 
> schema). If you setup the FreeRadius LDAP module to correctly extract

> the ntPassword attribute and add it as an NT- Password configure
item, I 
> don't see any reason the FreeRadius ms- chap module wouldn't work.
> 
> So, something like:
> 
> modules {
>    mschap {
>    }
>    ldap {
>      # configure LDAP here
>    }
> }
> authorize {
>    preprocess
>    mschap
>    eap
>    ldap
> }
> authenticate {
>    Auth- Type MS- CHAP {
>      mschap
>    }
>    eap
> }
> 
> The "configure LDAP here" should be fairly straightforward -  read
the 
> default configuration and unless you have a non- standard setup
things 
> should work.
> 
> Things you might have to alter:
> 
>   1. If your LDAP schema puts the NT hash in an attribute other than

> ntPassword, edit the "ldap.attrmap" file
>   2. If your LDAP schema does not contain the ntPassword but uses the

> Novell eDir "universal password" stuff (I'm not sure how that would
work 
> as a samba backend, so I doubt it) read the comments about setting up

> eDir in the default radiusd.conf
> 
> Other possible issues -  the machine may announce itself as 
> "HOST/MACHINENAME" in which case you need to fix that -  see posts on
the 
> mailing list about using the "hints" file to strip the host/ and
append 
> a $ but I can't find them because the FreeRadius archives are 
> unsearchable (every "help me" post with FR debug output contains
those 
> strings!)
> 
>> 
>> 
>> Regards,
>> - Sayantan
>> -  
>> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
> -  
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list