Emulate AD-based machine authentication
Munroe Sollog
mus3 at lehigh.edu
Wed Feb 19 13:52:57 CET 2020
Interesting, thanks for the help.
On Wed, Feb 19, 2020 at 4:00 AM Josef Vybíhal <josef.vybihal at gmail.com>
wrote:
> Hi,
> if winbind works for you, the "machine auth" should too. When windows
> supplicant is set to do machine auth, it uses username in form of
> 'host/hostname.your.domain'. Internaly in AD, it's an object similar to
> user account, with additional class(es). It has it's own samaccountname.
> userprincipalname. Also it has password, which is changed by default every
> 30 days (
>
> https://docs.microsoft.com/cs-cz/archive/blogs/askds/machine-account-password-process-2
> ).
>
> Here is example machine auth request from debug log.
> (0) Received Access-Request Id 114 from 172.24.254.250:32774 to
> 172.24.1.6:1812 length 344
> (0) User-Name = "host/PROBOOK.ABC.cz"
> (0) Chargeable-User-Identity = 0x00
> (0) Location-Capable = Civic-Location
> (0) Calling-Station-Id = "20-10-7a-01-77-fe"
> (0) Called-Station-Id = "3c-ce-73-6d-3a-50:ABC"
> (0) NAS-Port = 1
> (0) Cisco-AVPair = "audit-session-id=ac19646400016f415c666ce9"
> (0) Acct-Session-Id = "5c666ce9/20:10:7a:01:77:fe/96853"
> (0) Cisco-AVPair = "mDNS=true"
> (0) NAS-IP-Address = 172.25.100.100
> (0) NAS-Identifier = "CT2504_100.100"
> (0) Airespace-Wlan-Id = 1
> (0) Service-Type = Framed-User
> (0) Framed-MTU = 1300
> (0) NAS-Port-Type = Wireless-802.11
> (0) Tunnel-Type:0 = VLAN
> (0) Tunnel-Medium-Type:0 = IEEE-802
> (0) Tunnel-Private-Group-Id:0 = "666"
> (0) EAP-Message = 0x...
> (0) Message-Authenticator = 0x...
>
> Run your radiusd in radiusd -X and set windows to do machine auth, and you
> will see something similar as above.
>
>
> The in post-auth you can for example do some checking like
> if ( &User-Name =~ /^host\/.*$/) {
> update reply {
> ...
> }
> ...
>
>
> Hope that helps,
>
> P.
>
>
>
>
> On Tue, Feb 18, 2020 at 4:28 PM Munroe Sollog <mus3 at lehigh.edu> wrote:
>
> > I am trying to replace our current Microsoft NPS server with
> freeradius. I
> > was able to follow the docs and use winbind to get PEAP-mschap user
> > authentication working flawlessly. The last piece of this puzzle is, NPS
> > has a "magic checkbox" that enables machine-based authentication. I have
> > been trying to figure out what that checkbox does, without much luck.
> >
> > My best guess is that it's using the Active Directory certificates to do
> > EAP-TLS auth, but that is just my guess. Has anyone ever tried to
> > replicate this feature? or have any insight? I realize this isn't
> strictly
> > a freeradius question, but thought I would ask.
> >
> >
> >
> > --
> > Munroe Sollog
> > Senior Network Engineer
> > munroe at lehigh.edu
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu
More information about the Freeradius-Users
mailing list