MSCHAP - NTLM against groups
Alan DeKok
aland at deployingradius.com
Mon Oct 21 15:07:54 CEST 2019
On Oct 21, 2019, at 8:34 AM, Micha Ballmann <ballmann at uni-landau.de> wrote:
> i've configured a new freeradius server for WLAN authentication. My radius server is a domain member on my samba 4.7.12 ADDC. For my mschap configuration i followd this guide: https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory.
>
> The auth works! I can configure ntlm_auth in two differents way?
>
> ntlm_auth = "/path/to/ntlm_auth*--allow-mschapv2* --request-nt-key
> --username=%{mschap:User-Name} --domain=MYDOMAIN
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
>
> OR
>
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "%{mschap:NT-Domain}"
They do two slightly different things. One runs ntlm_auth which then talks to winbind, the second talks to winbind directly. Which is much faster.
> Both ways are working, but now im hanging a little bit. Currently im using this config in /mods-available/mschap:
>
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "%{mschap:NT-Domain}"
>
> (ntlm_auth = ... is commented out)
>
> I have an AD Group "WLAN".
>
> How can i authenticate against this groups? Is there any directive like "winbind_group = "?
You don't "authenticate" against a group. You check group membership. And that can only be done with LDAP queries.
So you have to configure mods-enabled/ldap
Alan DeKok.
More information about the Freeradius-Users
mailing list