machine authentication
Michael Messner
michael.messner_edv at inode.at
Wed Nov 15 17:07:43 CET 2006
ok, now the normal authentication process works again!
normally our config from the ldap request looks like the following:
radiusd.conf:
basedn = "CN=Users,DC=isalab,DC=local"
filter = "sAMAccountName=%{Stripped-User-Name:-%{User-Name})"
groupname_attribute = cn
groupmembership_filter =
"(|(&(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
users:
DEFAULT LDAP-Group == "CN=adminrole,CN=users,DC=isalab,DC=local",
Huntgroup-Name == "enterasys", Realm == ISALAB.local
Filter-ID == "Enterasys:version=1:mgmt=su:policy=adminrole",
Reply-Message = "Welcome %{Stripped-User-Name:-%{User-Name:-None}}
in the %{Realm} - Domain, there are no restrictions for you in
this network",
Fall-Through = No
with this config we get the groupmembership from the users and we can
give the filter-ID back to the switches.
But with machine authentication it looks a bit different!
first the DC ist Computers, no more users, then the sAMAccountName is for
example IT88$ and freeradius gives the name host/it88.isalab.local to the
AD, but this name stands in the servicePrincipalName!
also there is no memberOf any more at the device!
any ideas this is can be done?
ca mIke
More information about the Freeradius-Users
mailing list