Computer Logon with PEAP-MSCHAPv2
Hello there, after setting up our new central Radius Server I now want to finally set up PEAP-MSCHAPv2 with support for Computer acces, that my users can log in to the Samba administered Domain from Wireless Terminals (like their Laptops). I found a lot of helpful HowTos and Documentations but never managed to get Information about Computer Logons with PEAP. I understand that PEAP only uses certificates to identify the Radius Server, but uses Username/Password for connecting Users to the Wireless Network. Can someone point me to a resource or tell me how to do this all for Machines that they can authenticate when no user has logged in, to manage connection to the Domain when it comes to specific User login. Greetings, Sebastian Mauer
Alan DeKok schrieb:
Sebastian Mauer <sebastian@n-unity.de> wrote:
I found a lot of helpful HowTos and Documentations but never managed to get Information about Computer Logons with PEAP.
This was discussed very recently on this list. See the list archives.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello! I already read the thread about Domain Logons, but my case is a little bit different. I use Samba 3.x with LDAP as backend. I recently managed to get FreeRadius working by using SambaNTPassword as Password Attribute for EAP-PEAP Logins. Now I have the problem to get machines authenticated too. I found Information that when Computer Logon is activated the Machine tries to authenticate with its Machine Password. The domain enabled machines are in ou=Machines,dc=rnet,dc=lan and their Machine Password is stored too in a SambaNTPassword Attribute. So it might work if FreeRadius is able to find the machine entry in LDAP. The username for machines is machinename$ but I'm not sure what username Windows sens if it tries to authenticate a machine. Has someone set up a similar configuration? Sincerely, Sebastian Mauer
Sebastian Mauer <sebastian@n-unity.de> wrote:
The domain enabled machines are in ou=Machines,dc=rnet,dc=lan and their Machine Password is stored too in a SambaNTPassword Attribute.
So update the LDAP queries to look there.
So it might work if FreeRadius is able to find the machine entry in LDAP. The username for machines is machinename$ but I'm not sure what username Windows sens if it tries to authenticate a machine.
You can do LDAP queries by hand to see what name should be used. Then, make FreeRADIUS do the same queries. Alan DeKok.
participants (2)
-
Alan DeKok -
Sebastian Mauer