Hello and thank you for the suggestion. I've already try to set value in Stripped-User-Name. In the log I can see the script running sucessfully, and value is set in Stripped-User-Name, but when it's passed to ntlm_auth the string is empty. Il 30 Giu 2017 7:25 PM, "Alan DeKok" <aland@deployingradius.com> ha scritto:
On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele@verzeletti.org> wrote:
Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap. I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP
and MSCHAPv2 against Active directory.
User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName.
ntlm_auth just passes data from FreeRADIUS to AD. If the user is being rejected, it's not because of ntlm_auth.
With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
authorize { update request { User-Name := `/path/to/my/script '%{User-Name}'` }
Don't edit the User-Name. It's wrong.
You also don't need to run a script to do this. FreeRADIUS can do LDAP queries natively.
I have an error in the log
(0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Identity does not match User-Name, setting from EAP Identity (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid
Yup
In the short term, you can do:
authorize { update request { Stripped-User-Name := `/path/to/my/script '%{User-Name}'` } }
And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html