MSCHAP - NTLM against groups
Micha Ballmann
ballmann at uni-landau.de
Mon Oct 21 15:33:25 CEST 2019
Thank you very much for your fast answer.
There is a prefix like "--require-membership-of="
I disabled winbind directly auth, enabled ntlm_auth and added
"--require-membership-of='DOMAIN\wlan".
It works!
Is there any disadvantage to LDAP?
Regards
Micha
Am 21.10.2019 um 15:07 schrieb Alan DeKok:
> On Oct 21, 2019, at 8:34 AM, Micha Ballmann <ballmann at uni-landau.de> wrote:
>> i've configured a new freeradius server for WLAN authentication. My radius server is a domain member on my samba 4.7.12 ADDC. For my mschap configuration i followd this guide: https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory.
>>
>> The auth works! I can configure ntlm_auth in two differents way?
>>
>> ntlm_auth = "/path/to/ntlm_auth*--allow-mschapv2* --request-nt-key
>> --username=%{mschap:User-Name} --domain=MYDOMAIN
>> --challenge=%{%{mschap:Challenge}:-00}
>> --nt-response=%{%{mschap:NT-Response}:-00}"
>>
>> OR
>>
>> winbind_username = "%{mschap:User-Name}"
>> winbind_domain = "%{mschap:NT-Domain}"
> They do two slightly different things. One runs ntlm_auth which then talks to winbind, the second talks to winbind directly. Which is much faster.
>
>> Both ways are working, but now im hanging a little bit. Currently im using this config in /mods-available/mschap:
>>
>> winbind_username = "%{mschap:User-Name}"
>> winbind_domain = "%{mschap:NT-Domain}"
>>
>> (ntlm_auth = ... is commented out)
>>
>> I have an AD Group "WLAN".
>>
>> How can i authenticate against this groups? Is there any directive like "winbind_group = "?
> You don't "authenticate" against a group. You check group membership. And that can only be done with LDAP queries.
>
> So you have to configure mods-enabled/ldap
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list