Hi, I had a similar problem that I resolved with a LDAP query. In this way I also extract other parameters from the AD database that I can use for authorization (for example groups membership). The main idea is to configure the LDAP module with a proper filter: * if you want to match just userPrincipalName: filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}@example.com)" * if you want to match userPrincipalName OR sAMAccountName: filter = "(|(userPrincipalName=%{%{ Stripped-User-Name}:-%{User-Name}}@example.com )(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" and then map the LDAP attribute sAMAccountName in some radius custom attribute (I defined, for example, AD-Samaccountname) in the in the control dictionary. Then you can just use --username=%{control:AD-Samaccountname} in the ntlm_auth exec command. I wrote a post about it on my blog[1], unfortunately it is for FR2 and not FR3 (and, as usual, it's not the official wiki). The idea for this "trick" is not mine but it came from some old post in this list. Regards, Enrico [1] https://uz.sns.it/~enrico/site/posts/networking/ntlm-auth-in-freeradius-usin... On Fri, Jun 30, 2017 at 7:26 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele@verzeletti.org> wrote:
Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap. I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP
and MSCHAPv2 against Active directory.
User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName.
ntlm_auth just passes data from FreeRADIUS to AD. If the user is being rejected, it's not because of ntlm_auth.
With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
authorize { update request { User-Name := `/path/to/my/script '%{User-Name}'` }
Don't edit the User-Name. It's wrong.
You also don't need to run a script to do this. FreeRADIUS can do LDAP queries natively.
I have an error in the log
(0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Identity does not match User-Name, setting from EAP Identity (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid
Yup
In the short term, you can do:
authorize { update request { Stripped-User-Name := `/path/to/my/script '%{User-Name}'` } }
And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html