AD Auth Question

Alan Buxey alan.buxey at gmail.com
Sat Dec 30 22:29:05 CET 2017 

Don't mess with username, it'll break the EAP authentication. The server
and ntlm_auth will handle those forms of IDs fine, just use the mschap
module and ensure that the NT name stuff (prefix module IIRC) is enabled

alan

On 30 Dec 2017 7:43 pm, "Martin, Jeremy" <jmartin at emcc.edu> wrote:

> Thanks for the feedback, makes sense.  I will just need to mutate the
> username from “host/machine.domain.com” to “machine$” which I can handle.
>
> To attempt to answer your question as I understand it: rrght now this is
> proxied from NPS to freeradius as the NPS server existed before freeradius
> and only implemented freeradius when the MD5 requirement came along as it
> was removed from NPS some time ago and reimplementing it did make it work
> “sometimes” other times it would just fail so rather than spend time on a
> removed and unsupported feature we decided to move all the mac and MD5
> dot1x authentication to a freeradius server.  Now I would like to get down
> to just the single radius server gain now that it has been proven in
> production it is time to scale out for resilancy but would like to finish
> the project off by authenticating the PEAP/MSCHAPv2 stuff back to ad where
> a machine is authenticated once it is joined to the domain.
>
> > On Dec 30, 2017, at 1:19 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
> >
> > fairly easily done - and quite common -  had different requirements
> > when, for example, we migrated from one domain to another.
> >
> > you dont want the exec ntlm_auth thing - thats a diversion, you just
> > use the mschap module (and configure the ntlm line in that- you want
> > to use unlang
> > and then in the authorise section of the inner-tunnel, call different
> > mschap modules eg
> >
> > pseudo-code: (untested, quickly typed)
> >
> > if (%{User-Name} ~= "@domain.com$"){
> > mschap-one
> > }
> > if (%{User-Name} ~= "@other.domain.com$"){
> > mschap-two
> > }
> >
> >
> > but right now you just send (proxy) all this to NPS?  your aim is to
> > move the authentication to the FR system?
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list