Freeradius + AD authentication passing Domain+User

Alejandro Cabrera Obed aco1967 at gmail.com
Sun Jun 25 23:14:39 CEST 2017


Dear people, before doing the new test tomorrow with the AD authentication
useing Freeradius, I need your help:

I need to authenticate the Windows company users from their corresponding
notebooks to our AD, through our Freeradius 2.2.5 server, and without
certificate validation (I don’t install the CA certificate in any notebook
at the moment).

My AD administrator tell me that the defined domain in the Windows DC
server is "company.com" but because it's an “old fashion” Windows server
the company users authenticate from notebooks and desktops in this way:

COMPANY\username

So I replace all the "company.com" strings in my configuration files from
samba, kerberos and freeradius for just "company".

Is it OK what I do???

Please if you can give me the link of a step-by-step guide on Freeradius +
AD auth, because there are seceral guides and they vary from one to another.

Thanks again!!!


2017-06-22 11:49 GMT-03:00 Alejandro Cabrera Obed <aco1967 at gmail.com>:

> Thanks to all, Iwill try later and I will follow your advice.
>
> Any failure, I'll keep in touch with you again.
>
> Regards!!!
>
> 2017-06-22 11:46 GMT-03:00 Enrico Polesel <epol.lists at gmail.com>:
>
>> Hi all,
>>
>> On Thu, Jun 22, 2017 at 4:11 PM Alan DeKok <aland at deployingradius.com>
>> wrote:
>>
>> > >
>> > > Sending Access-Request of id 220 to 127.0.0.1 port 1812
>> > >        User-Name = "alejandro at domain.com <alcabrera at g-bapro.net>"
>> >
>> >   Is the account in AD called "alejandro at domain.com"?  Or is it just
>> > alejandro ?
>> >
>> >   Again... if you're testing a user in AD, you just need to test with
>> the
>> > username that's in AD.  There is simply no reason to do anything else.
>> >
>>
>> Remember that AD has TWO usernames: the sAMAccountName (old style NetBios)
>> and the userPrincipalName (new style, kerberos), the latest also includes
>> the domain.
>>
>> BUT windbind (and ntlm_auth) uses the sAMAccountName username, so be sure
>> to pass that name and not the new userPrincipalName.
>>
>> Cheers,
>> Enrico
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>
>
>
> --
>  //  Alejandro   //
>
>
>
>


-- 
 //  Alejandro   //


More information about the Freeradius-Users mailing list