Hi, sorry, I am completely new to Radius … I want to change a FreeRadius server to authenticate a few hosts by their hostnames. The hostnames would be stored in a config file. How could I do this? This is the authentication request: rad_recv: Access-Request packet from host 10.10.10.21 port 54285, id=145, length=347 Framed-MTU = 1480 NAS-IP-Address = 10.10.10.21 NAS-Identifier = "HP-2520-24-PoE" User-Name = "host/MYHOSTNAME" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "84-34-97-de-df-80" Calling-Station-Id = "00-1f-29-98-8d-41" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "201" EAP-Message = 0x0201001401686f73742f544344452d3030303131 Message-Authenticator = 0xe06791a76c819a3dc0f89c8baf2df141 MS-RAS-Vendor = 11 Thanks for any help! Take care, Stefan
Stefan Sticht wrote:
I want to change a FreeRadius server to authenticate a few hosts by their hostnames. The hostnames would be stored in a config file.
That's not how RADIUS works.
How could I do this?
You can't.
This is the authentication request: ... EAP-Message = 0x0201001401686f73742f544344452d3030303131
That's EAP authentication. You can't bypass the authentication. So... *why* do you want to do this? What other alternatives do you have? Alan DeKok.
Hi Could it be you are in a AD environment - your request looks like to what I see in my environment. If so: Domain-joined Windows machines (for what I have tested) have a computer account in AD. This can be used by the Windows (never tested with domain-joined Macs or Linux machines) client to authenticate as machine against the network (using PEAP-MSCHAPv2). Technically you don't authenticate by hostnames but you use the computers' AD account. Another way would be to use EAP-TLS with certificates on your machines. If you implement the Samba/winbind way as described by deployingradius.comyou can in authenticate computer accounts. - It required me to tweak the LDAP default config for group-based authorization, but In case this is what you are looking for, ping back and I can show you LDAP filters i use. If you are only into authentication, most likely the public pages will already let you in, but (at least on Debian wheezy) I had tomodify modules/mschap as follows: mschap { ... with_ntdomain_hack = yes ... # Debian # ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" # Mine (at least that made it work) ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" ... } -- Mathieu
participants (3)
-
Alan DeKok -
Mathieu Simon -
Stefan Sticht