Re: Expired Active Directory Passwords & Wireless Authentication
Will that allow successful RADIUS authentication - and, therefore wireless access - before the password change is initiated? Because our clients are Macs that won't prompt for password change until after they are connected to the wireless and authenticating against AD. Alan DeKok Wrote: Jason Agress wrote:
I've read lots about this problem with FreeRADIUS and have seen some implied solutions, but nothing concrete. So here's my question: With FreeRADIUS, is there a way to allow successful RADIUS authentication with an expired password? This way the AD login process can commence and the user can be prompted to change his/her password wirelessly.
Use the git "master" branch. It supports changing passwords via PEAP. See raddb/mods-available/mschap Alan DeKok.
On 10/10/2012 03:21 AM, Jason Agress wrote:
Will that allow successful RADIUS authentication - and, therefore wireless access - before the password change is initiated? Because our clients are Macs that won't prompt for password change until after they are connected to the wireless and authenticating against AD.
Ah. Then no, mschap password changes won't help. FreeRADIUS just calls out to AD to auth users. If AD refuses to auth because the password is expired, the only thing you can do is a password change, which requires client support. Since you're using Macs, you do have one option - change your EAP method to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth types you can "force" an accept on. Other auth types use challenge/response methods that require both side to prove to each other that they know the credentials. To implement this, you'd: 1. Install FreeRADIUS 2. Get EAP working with a local user 3. Get EAP working with AD users via Samba Everything up to this point is documented - see the wiki or deployingradius.com. Once you've got that far, you need to setup two things: * TTLS * A script to auth PAP against AD, wrapping ntlm_auth The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, check for "expired" and force a success. Anyway - if you're willing to move from PEAP to TTLS, get the basics working then if you need advice, ask here again - people will be glad to help. It's relatively straightforward, but all the pieces might not be documented in obvious places.
This is very promising! Thank you! Is there any significant downside to using EAP-TTLS/PAP over PEAP? FreeRadius users mailing list <freeradius-users@lists.freeradius.org> writes:
On 10/10/2012 03:21 AM, Jason Agress wrote:
Will that allow successful RADIUS authentication - and, therefore wireless access - before the password change is initiated? Because our clients are Macs that won't prompt for password change until after they are connected to the wireless and authenticating against AD.
Ah. Then no, mschap password changes won't help. FreeRADIUS just calls out to AD to auth users. If AD refuses to auth because the password is expired, the only thing you can do is a password change, which requires client support.
Since you're using Macs, you do have one option - change your EAP method to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth types you can "force" an accept on. Other auth types use challenge/response methods that require both side to prove to each other that they know the credentials.
To implement this, you'd:
1. Install FreeRADIUS 2. Get EAP working with a local user 3. Get EAP working with AD users via Samba
Everything up to this point is documented - see the wiki or deployingradius.com. Once you've got that far, you need to setup two things:
* TTLS * A script to auth PAP against AD, wrapping ntlm_auth
The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, check for "expired" and force a success.
Anyway - if you're willing to move from PEAP to TTLS, get the basics working then if you need advice, ask here again - people will be glad to help. It's relatively straightforward, but all the pieces might not be documented in obvious places. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Is there any significant downside to using EAP-TTLS/PAP over PEAP?
A few things, one is that you really need to trust the CA/RADIUS server - as your credentials are all passed in the clear inside the TLS tunnel - so if you are talking to a dodgy server you then send them everything secondly...many clients dont support it natively....so you need to install an extra supplicant to do it. not an issue if you are only trying to ensure that Mac users can change password when things are wonky and Windows users use PEAP (which has the 'change/incorrect' support - but how do you stop Mac users using PEAP and still getting themselves stuck? alan
participants (3)
-
alan buxey -
Jason Agress -
Phil Mayers