Hi, Using freeradius 1.1.5 samba 3.0.24...i have an interesting problem, and was curious what methods other people would take to solve it. I am setting up radius for our new wpa2 wireless network, which means that windows machine auth should work so that people can LOGIN to their laptops. i have it working (with a slight hack). when a windows xp machine sends its machine auth to radius it sends host/machinename.activedirectorydomain.domain.domain. so freeradius takes the activedirectorydomain part of that and assumes that the domain's actual name (what you use for authentication) in our case....blame the windows people, that is NOT the case. example computer.ad.clarku.edu is the dns name...however that computer is actually joined to the CLARKU domain..so the authentication needs to be against the CLARKU domain as the AD domain doesn't exist. does that make sense? any ideas? the hack i have in place is a hardcoded domain of CLARKU in the NTLM_AUTH check(this can't stay as we have multiple domains). thanks in advance for any insight. Joe
Hi,
xp machine sends its machine auth to radius it sends host/machinename.activedirectorydomain.domain.domain. so freeradius takes the activedirectorydomain part of that and assumes that the domain's actual name (what you use for authentication) in our case....blame the windows people, that is NOT the case. example computer.ad.clarku.edu is the dns name...however that computer is actually joined to the CLARKU domain..so the authentication needs to be against the CLARKU domain as the AD domain doesn't exist. does that make sense? any ideas?
well, you can use regexp/attr_filter to look for these systems and then just chop off the activedirectorydomain.domain.domain. part thus allowing the AD REALM to be forced by yourselves. alan
well, you can use regexp/attr_filter to look for these systems and then just chop off the activedirectorydomain.domain.domain. part thus allowing the AD REALM to be forced by yourselves.
I tried something similar i used attr_rewrite to replace the bad parts of User-Name with the modified correct values, it, however because i am using eap-ttls, i got an eap error "rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler" can you point me to a doc where the attr_filter is explained better? from reading the comments/documentation i got the impression it was primarily used for proxying, and wouldn't work for other things... Joe
Hi,
I tried something similar i used attr_rewrite to replace the bad parts of User-Name with the modified correct values, it, however because i am using eap-ttls, i got an eap error "rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler"
ah! you really cannot play with User-Name - as you have found, the client doesnt like that to be changed. what you want to do is copy User-Name to Stripped-User-Name and then play with Stripped-User-Name - and use that in the rest of the stages. attr_rewrite is the one you want to use - i've just been busy with some other things - attr_filter was a typo! alan
ah! you really cannot play with User-Name - as you have found, the client
doesnt like that to be changed. what you want to do is copy User-Name to Stripped-User-Name and then play with Stripped-User-Name - and use that in the rest of the stages.
how do i copy User-Name to something else? what i ended up doing (it's not super pretty, but works) is using Hints and if prefix == "host" (as machines auth as host/blahblah) then i set a new attribute called domain and use that for the auth, and if i get a real domain as the prefix i just assign that as the attribute domain...not pretty but it works. Joe
Hi,
how do i copy User-Name to something else?
there are guides out there..and various snippets from mail archives but you can start by doing stuff like attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = "" searchin = packet replacewith = "%{User-Name}" } attr_rewrite remove-domain { attribute = Stripped-User-Name searchfor = "\.test\.domain\.com" searchin = packet new_attribute = no replacewith = "" } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = "^(host/.*)" searchin = packet new_attribute = no replacewith = "%{1}$" } then you can add copy.user-name remove-domain add-dollar-sign to the authorize section alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Joe Vieira