New User and AD Question

James J J Hooper jjj.hooper at bristol.ac.uk
Sun Feb 27 20:20:28 CET 2011 

On 27/02/2011 18:08, McNutt, Justin M. wrote:
> New member to the list, here. I have a question about AD computer-based
> authentication. Basically, how is it accomplished?
> I have Googled and Googled, but only found references to the fact that it
> *can* be done (mostly from archives of this list), but little reference on
> HOW to do it, other than that it has something to do with editing the
> "realms" file. I also went to #freeradius on FreeNode, but it seemed there
> was rarely anyone in the channel. So here I am.
> I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM
> (freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that
> is a member of an AD domain via Samba 3.5.4 (which was required to talk to
> the 2008R2 domain controllers). We have a multi-domain, single forest
> environment.
> I'm running two virtual servers, based on the defaults. I have the
> "campus-main" virtual server that is pretty much the exact same as the
> default, except that I have LDAP authentication enabled. This works
> perfectly and is able to authenticate users for all domains. I also have
> the "campus-eap" and "campus-inner-tunnel" virtual servers for EAP
> authentication that are the same as the "default" and "inner-tunnel"
> servers except for the names. (I copied them so I could make changes to
> the "campus-XXX" virtual servers and still have the originals for reference.)
> The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine
> for all users in all domains (authenticated via ntlm_auth) EXCEPT for the
> "host\\computer.domain.name" users (the computer accounts). I'd like to
> make this work, partly because a large number of the failed login attempts
> in my logs are from hosts that are valid domain members.
> Sooo... help? What's the basic idea behind making this work?


Hi Justin,


Could you send us the output of radiusd -X for a computer auth?

If it works for users it should just work for machines.

You'll need to make sure you have samba > 3.0.23 [IIRC] [which you seem to 
have] and your ntlm_auth line has to have an appropriately formatted 
User-Name bit e.g. %{mschap:User-Name} (the mschap module will take 
host\\computer.domain.name and turn it in to computer$ automatically).

-James


-- 
James J J Hooper
Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk          http://www.jamesjj.net
--

More information about the Freeradius-Users mailing list