Radius-based windows authentication

Phil Mayers p.mayers at imperial.ac.uk
Tue Apr 29 15:21:29 CEST 2008


Julien MIOTTE wrote:
>>   1. Using the windows native supplicant and machine account
>> authentication. Basically the process is this:
>>      * machine powers on - no-one logged in
>>      * machine uses its own domain account to login "host/$machinename"
>>      * user presses ctrl+alt+del
>>      * machine validates credentials to the domain controller, over the
>> current network connection
>>      * machine downloads the users profile
>>      * once the profile is download, the machine does an EAP-Logoff and
>> then re-authenticates using the user credentials
>>      * when the user logs out, the machine does and EAP-Logoff and then
>> logs back in using the machine account
> 
> Hi, I've been trying to do as you told me.

There's no need to CC me. I read the list.

> Using the native supplicant and MSCHAPv2 on PEAP, the machine sends now it's 
> own credentials. My problem is that the login is sent with the 
> prefix "host/". In my LDAP, the entry of the machine is machine_name$.
> 
> I tried to fix this trough various ways, and I succeded by adding an entry in 
> the hint file :
> 	DEFAULT Prefix == "host/", Strip-User-Name = "Yes"
> 
> and by changing the filter in the LDAP section :
> 	filter="(uid=%{Stripped-User-Name:-%{User-Name}})"  
> to 
> 	filter="(uid=%{Stripped-User-Name:-%{User-Name}}$)"
> 
> Now the authorization works fine, but when the authenticate section is 
> processed, the debug prints this :
> 	rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> 
> Am I doing all of this right ?
>  

There's a better way; use the mschap module expansion function, which 
will both strip and suffix for you:

filter = "(uid=%{mschap:User-Name})"




More information about the Freeradius-Users mailing list