mschap machine authentication
Guillermo Vargas-DellaCasa
gvargas-dellacasa at nhvweb.net
Thu Jul 20 04:07:14 CEST 2006
I'm using Free Radius 1.1.2. I wanted to share what I did to get Windows
machine authentication (via ntlm_auth) to work properly in my network.
After configuring FreeRadius for ntlm_auth against my windows network, I
found that not all machines got authenticated. Machines with names
longer than 15 characters did not get authenticated.
I found out that this is because Windows supplicant send the machine
name as "host/quitelongmachinename.company.domain", and the mschap
module of FreeRadius strip "quitelongmachinename" and use that when
running ntlm_auth (it actually uses "quitelongmachinename$". But,
ntlm_auth needs "quitelongmachin$" to work (i.e. only the first 15
chars).
So, I went to "src/modules/rlm_mschap/rlm_mschap.c" and changed this
line:
snprintf(out, outlen, "%s$", user_name->strvalue + 5);
with these lines:
char largo[20]="";
snprintf(largo, 16, "%s", user_name->strvalue + 5);
strcat(largo, "$");
strNcpy(out,largo,17);
And recompiled. That got FreeRadius to send to ntlm_auth only the first
15 chars of the machinename when doing machine authentication.
I'm not a programmer so probably what's above is not the nicer way to
get the idea done, but hey, it worked pretty well. Now machine
authentication works no matter how long the machine name is. Thought I
would share it...
FreeRadius version: 1.1.2
Authentication method: PEAP-MSCHAP
Client: Windows XP supplicant
Authenticating against: A windows AD domain via ntlm_auth
Samba version: 3.0.22
G.
More information about the Freeradius-Users
mailing list