<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE>Machine Authentication and Active Directory group lookups</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Hello all,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">I have FreeRadius v 2.1.10 installed and configured to authent</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">icate</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> users agai</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">nst Active Directory using P</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">EAP</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">/MSChapV2 and perform Group membership lookups via the ldap module so that I can</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">configure radius reply attributes to provide VLAN assignment and Dymanic ACL</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">’</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">s. All is working</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">extremely</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> well,</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">but</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> one item that I would also like to get working i</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">s</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> the Machine Authentication. </FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri"> Machine Authen</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">tication</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> is working with the exception of the ldap group looku</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">p.</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> From what I can tell, when the machine authentica</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">tes, the ntlm_auth</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">knows that the request is a Machine Authentication and appends the $ to the end of the username</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> for</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">the</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> sAMAccountName</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">:</FONT></SPAN></P>
<BR>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri"># Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">+- entering group authenticate {...}</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[inner-eap] Request found, released from the list</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[inner-eap] EAP/mschapv2</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[inner-eap] processing type mschapv2</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschapv2] # Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschapv2] +- entering group MS-CHAP {...}</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschap] Creating challenge hash with username: host/lab.XXXX.com</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschap] Told to do MS-CHAPv2 for host/lab.XXXX.XXX with NT-Password</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=lab$</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschap] mschap2: 78</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschap] Creating challenge hash with username: host/lab.XXXX.XXX</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=a9c34f78fae78fd0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=961d047adaedc84346d00fcd2a0a67139ff4a95c9e13ae61</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Exec-Program output: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Exec-Program-Wait: plaintext: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Exec-Program: returned: 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[mschap] adding MS-CHAPv2 MPPE keys</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">++[mschap] returns ok</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">MSCHAP Success</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Since I am using</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">filter = "(&(sAMAccountName=%{mschap:User-Name}))"</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> in the ldap module, FreeRadius is trying to do a group lookup on:</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">lab$ which is not found in</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">any</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">Active Direc</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">tory groups</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">:</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri"># Executing section post-auth from file /usr//etc/raddb/sites-enabled/default</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">+- entering group post-auth {...}</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri"> [ldap] Entering ldap_groupcmp()</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[files] expand: ou=XXXX,dc=XXXX,dc=XXX -> ou=XXXX,dc=XXXX,dc=XXX</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">[files] expand: (&(sAMAccountName=%{mschap:User-Name})) -> (&(sAMAccountName=lab$))</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri"> [ldap] ldap_get_conn: Checking Id: 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri"> [ldap] ldap_get_conn: Got Id: 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri"> [ldap] performing search in ou=XXXX,dc=XXXX,dc=</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">XXX</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">, with filter (&(sAMAccountName=lab$))</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri"> [ldap] object not found</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Is it possible to remove the</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">“</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">$</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">”</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> from the sAMAccountName in the LDAP module without breaking the User Authentication</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">?</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Thanks</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Robert Graham</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<BR>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
</BODY>
</HTML>