Change username for MSCHAPv2

Enrico Polesel epol.lists at gmail.com
Fri Jun 30 21:04:42 CEST 2017 

Hi,

I had a similar problem that I resolved with a LDAP query. In this way I
also extract other parameters from the AD database that I can use for
authorization (for example groups membership).

The main idea is to configure the LDAP module with a proper filter:
* if you want to match just userPrincipalName: filter =
"(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}@example.com)"
* if you want to match userPrincipalName OR sAMAccountName:
filter = "(|(userPrincipalName=%{%{
Stripped-User-Name}:-%{User-Name}}@example.com
)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"

and then map the LDAP attribute sAMAccountName in some radius custom
attribute (I defined, for example, AD-Samaccountname) in the in the control
dictionary. Then you can just use --username=%{control:AD-Samaccountname}
in the ntlm_auth exec command.

I wrote a post about it on my blog[1], unfortunately it is for FR2 and not
FR3 (and, as usual, it's not the official wiki). The idea for this "trick"
is not mine but it came from some old post in this list.

Regards,
Enrico


[1]
https://uz.sns.it/~enrico/site/posts/networking/ntlm-auth-in-freeradius-using-userprincipalname-instead-of-samaccountname-or-both.html

On Fri, Jun 30, 2017 at 7:26 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele at verzeletti.org>
> wrote:
> >
> > Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap.
> > I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP
> and MSCHAPv2 against Active directory.
> > User account are identified by userPrinciplaName, but ntlm_auth is not
> able to authenticate using this attribute, it looks into samAccountName.
>
>   ntlm_auth just passes data from FreeRADIUS to AD.  If the user is being
> rejected, it's not because of ntlm_auth.
>
> > With an external script I'm able to performa a query on active directory
> and retrieve the samAccountName, but if I update the attribute User-Name
> using
> >
> > authorize {
> >     update request {
> >        User-Name := `/path/to/my/script '%{User-Name}'`
> >    }
>
>   Don't edit the User-Name.  It's wrong.
>
>   You also don't need to run a script to do this.  FreeRADIUS can do LDAP
> queries natively.
>
> > I have an error in the log
> >
> > (0) # Executing group from file /etc/raddb/sites-enabled/default
> > (0)   authenticate {
> > (0) eap: Identity does not match User-Name, setting from EAP Identity
> > (0) eap: Failed in handler
> > (0)     [eap] = invalid
> > (0)   } # authenticate = invalid
>
>   Yup
>
>   In the short term, you can do:
>
> authorize {
>         update request {
>                 Stripped-User-Name :=  `/path/to/my/script '%{User-Name}'`
>         }
> }
>
>   And be sure that the configuration line which runs ntlm_auth uses
> Stripped-User-Name.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list