Change username for MSCHAPv2
Gabriele Verzeletti
gabriele at verzeletti.org
Fri Jun 30 21:46:31 CEST 2017
Good tutorial, I'll try it in my environment.
Thanks a lot
Il 30 Giu 2017 9:05 PM, "Enrico Polesel" <epol.lists at gmail.com> ha scritto:
> Hi,
>
> I had a similar problem that I resolved with a LDAP query. In this way I
> also extract other parameters from the AD database that I can use for
> authorization (for example groups membership).
>
> The main idea is to configure the LDAP module with a proper filter:
> * if you want to match just userPrincipalName: filter =
> "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}@example.com)"
> * if you want to match userPrincipalName OR sAMAccountName:
> filter = "(|(userPrincipalName=%{%{
> Stripped-User-Name}:-%{User-Name}}@example.com
> )(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
>
> and then map the LDAP attribute sAMAccountName in some radius custom
> attribute (I defined, for example, AD-Samaccountname) in the in the control
> dictionary. Then you can just use --username=%{control:AD-Samaccountname}
> in the ntlm_auth exec command.
>
> I wrote a post about it on my blog[1], unfortunately it is for FR2 and not
> FR3 (and, as usual, it's not the official wiki). The idea for this "trick"
> is not mine but it came from some old post in this list.
>
> Regards,
> Enrico
>
>
> [1]
> https://uz.sns.it/~enrico/site/posts/networking/ntlm-
> auth-in-freeradius-using-userprincipalname-instead-of-
> samaccountname-or-both.html
>
> On Fri, Jun 30, 2017 at 7:26 PM Alan DeKok <aland at deployingradius.com>
> wrote:
>
> > On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <
> gabriele at verzeletti.org>
> > wrote:
> > >
> > > Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap.
> > > I need to authenticate users for WiFi access WPA2 Enterprise, using
> PEAP
> > and MSCHAPv2 against Active directory.
> > > User account are identified by userPrinciplaName, but ntlm_auth is not
> > able to authenticate using this attribute, it looks into samAccountName.
> >
> > ntlm_auth just passes data from FreeRADIUS to AD. If the user is being
> > rejected, it's not because of ntlm_auth.
> >
> > > With an external script I'm able to performa a query on active
> directory
> > and retrieve the samAccountName, but if I update the attribute User-Name
> > using
> > >
> > > authorize {
> > > update request {
> > > User-Name := `/path/to/my/script '%{User-Name}'`
> > > }
> >
> > Don't edit the User-Name. It's wrong.
> >
> > You also don't need to run a script to do this. FreeRADIUS can do LDAP
> > queries natively.
> >
> > > I have an error in the log
> > >
> > > (0) # Executing group from file /etc/raddb/sites-enabled/default
> > > (0) authenticate {
> > > (0) eap: Identity does not match User-Name, setting from EAP Identity
> > > (0) eap: Failed in handler
> > > (0) [eap] = invalid
> > > (0) } # authenticate = invalid
> >
> > Yup
> >
> > In the short term, you can do:
> >
> > authorize {
> > update request {
> > Stripped-User-Name := `/path/to/my/script
> '%{User-Name}'`
> > }
> > }
> >
> > And be sure that the configuration line which runs ntlm_auth uses
> > Stripped-User-Name.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list