<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Arial, sans-serif" size="2">
<div>New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished?</div>
<div> </div>
<div>I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but little reference on HOW to do it, other than that it has something to do with editing the "realms" file. I also went to #freeradius
on FreeNode, but it seemed there was rarely anyone in the channel. So here I am.</div>
<div> </div>
<div>I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM (freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that is a member of an AD domain via Samba 3.5.4 (which was required to talk to the 2008R2 domain controllers). We have a multi-domain,
single forest environment.</div>
<div> </div>
<div>I'm running two virtual servers, based on the defaults. I have the "campus-main" virtual server that is pretty much the exact same as the default, except that I have LDAP authentication enabled. This works perfectly and is able to authenticate users
for all domains. I also have the "campus-eap" and "campus-inner-tunnel" virtual servers for EAP authentication that are the same as the "default" and "inner-tunnel" servers except for the names. (I copied them so I could make changes to the "campus-XXX" virtual
servers and still have the originals for reference.)</div>
<div> </div>
<div>The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the "host\\computer.domain.name" users (the computer accounts). I'd like to make this work, partly because a
large number of the failed login attempts in my logs are from hosts that are valid domain members.</div>
<div> </div>
<div>Sooo... help? What's the basic idea behind making this work?</div>
<div> </div>
<div><font face="Arial, sans-serif">Thanks!</font></div>
<div><font face="Arial, sans-serif"> </font></div>
<div><font face="Arial, sans-serif">Justin McNutt</font></div>
<div><font face="Arial, sans-serif">Network Systems Analyst - Ninja</font></div>
<div><font face="Arial, sans-serif">DNPS, Mizzou Telecom</font></div>
<div><font face="Arial, sans-serif">(573) 882-5183</font></div>
<div><font face="Arial, sans-serif"> </font></div>
<div><font face="Arial, sans-serif">"Do you have a concussion?"</font></div>
<div><font face="Arial, sans-serif"> </font></div>
<div><font face="Arial, sans-serif">Ping is NOT a service. You don't need it. Use a real test.</font></div>
<div><font face="Arial, sans-serif"> </font></div>
<div> </div>
</font>
</body>
</html>