Since this is my first post to this list, hello everyone. I do apologize if this question has been asked before; unfortunately I've been unable to find this information in the list archives. I have a working setup with Windows XP clients, MSAD, FreeRADIUS 1.1.0 running on SLES 10, and Enterasys switches. Authentication via PEAP and MS-CHAPv2. Everything works perfectly fine when a Windows user logs on; ldap module looks up the user, mschap authenticates, client is dropped into the right VLAN... beautiful. However, what I am also trying to achieve is to force the client into a specific VLAN when no user is logged on (this corresponds to the "Authenticate as computer when computer information is available" option in the "Authentication" tab of the Windows connection properties dialog). The tricky part is that XP's supplicant, which supplies the username as "DOMAIN\\Username" while a user is logged on, supplies a username in the form of "host/computername.my.domain" otherwise -- this corresponds to the servicePrincipalName attribute on the machine's object in MSAD. This is of course a format that ntlm_auth can't deal with. So, my approach is this: 1. When authorizing, look up the LDAP DN using a filter that checks both sAMAccountName and servicePrincipalName: radiusd.conf: modules { # [...] ldap { # [...] filter = "(|(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(servicePrincipalName=%{S tripped-User-Name:-%{User-Name}}))" # [...] } } } 2. While authorizing, retrieve the value of the sAMAccountName from LDAP. For this purpose, I have the following entry in the LDAP Attribute map: replyItem MSAD-SAM-Account-Name sAMAccountName 3. When authenticating, feed mschap's ntlm_auth the MSAD-SAM-Account-Name if it is available: modules { # [...] mschap { # [...] ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{MSAD-SAM-Account-Name:-%{Stripped-User-Name:-%{User-Name:-None}}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" # [...] } } }
From the debug logs, it appears such that the computer's LDAP object is looked up successfully (using the servicePrincipalName host/testpc.demo.com), and that the MSAD-SAM-Account-Name replyItem is set correctly (to "TESTPC$"). However, ntlm_auth is invoked with the username None instead, so it appears that the LDAP replyItems are not made available to the mschap authentication module.
rlm_ldap: performing search in dc=demo,dc=com, with filter (|(sAMAccountName=host/testpc.demo.com)(userPrincipalName=host/testpc.demo.com)( servicePrincipalName=host/testpc.demo.com)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding sAMAccountName as MSAD-SAM-Account-Name, value TESTPC$ & op=11 rlm_ldap: user host/testpc.demo.com authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 5 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/testpc.demo.com with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: e8 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=None --challenge=30585713439262e1 --nt-response=bbef10b2df1d9a084db75e86b02df137e7166eb6ce3e4d30' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=None --challenge=30585713439262e1 --nt-response=bbef10b2df1d9a084db75e86b02df137e7166eb6ce3e4d30 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) ... and then subsequently, the whole request of course fails. I'm almost certain that I am missing something very obvious. Would someone be kind enough to enlighten me? Thanks very much. Florian -- Mag.(FH) Florian G. Haas | Systemingenieur Kapsch BusinessCom AG | Wienerbergstraße 53 | A-1120 Wien www.kapschbusiness.com | www.kapsch.net Firmenbuch HG Wien FN 178368g | Firmensitz Wien The information contained in this e-mail message is privileged and confidential and is for the exclusive use of the addressee. The person who receives this message and who is not the addressee, one of his employees or an agent entitled to hand it over to the addressee, is informed that he may not use, disclose or reproduce the contents thereof.