Hi All, Wander if someone can help me resolve a problem I'm experiencing.... I'm using FreeRADIUS to provide AAA for 802.1X for wireless in a number of sites. It doesn't need to be 100% up all the time, and so I've got one server back in our central site that handles all the requests over our site-to-site VPNs. The users are stored in either AD, or SQL. SQL is fine, and I've modified the queries to suit my environment. My real problem is with the AD.... I can get it to authenticate users no problems, but not machines. I've got three AD domains I have users in that I need to authenticate: WB-UK, WB-US & WB-AU. These are sub-domains of WB-ROOT, which has no users and is there simple to provide trusts etc. All my users can authenticate fine, as the ms-chap module fills in the nt-domain variable and all is good. However, host authentication fails... I need host authentication to facilitate password expiration messages and changes to keep everyone authenticating OK, and not getting locked out. I'm sure that someones dealt with this before, and so I'd be very grateful for feedback and help. What do I need to supply to ntlm_auth for a machine user name, the "host/machine.domain.local" style, or the "$machine$" style? And, is this a problem best solved by setting the ntlm_auth program variable based on unlang checks against an extracted realm? Or, is there another way to make this all behave? I've tryied using Alan's suggested line on the "how-to" on deployingradius.org, but the "if no nt-domain, use a manually entered default" bit seems to confuse host auth. Many thanks in advance for any help offered, Rupes
We pass hostname$ to ntlm_auth by rewriting the User-Name attribute as follows: attr_rewrite machine_UserName { attribute = User-Name searchin = packet searchfor = "^host/(.*).domain.name" replacewith = "%{1}$" ignore_case = yes new_attribute = no max_matches = 1 append = no } To change from host/hostname.domain.name to hostname$. Then, include machine_UserName in the authorize and authenticate sections before mschap. ________________________________ From: freeradius-users-bounces+neal.garber=energyeast.com@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast.com@lists.freera dius.org] On Behalf Of Rupert Finnigan Sent: Monday, June 01, 2009 2:59 PM To: FreeRadius users mailing list Subject: NTLM Auth Help Hi All, Wander if someone can help me resolve a problem I'm experiencing.... I'm using FreeRADIUS to provide AAA for 802.1X for wireless in a number of sites. It doesn't need to be 100% up all the time, and so I've got one server back in our central site that handles all the requests over our site-to-site VPNs. The users are stored in either AD, or SQL. SQL is fine, and I've modified the queries to suit my environment. My real problem is with the AD.... I can get it to authenticate users no problems, but not machines. I've got three AD domains I have users in that I need to authenticate: WB-UK, WB-US & WB-AU. These are sub-domains of WB-ROOT, which has no users and is there simple to provide trusts etc. All my users can authenticate fine, as the ms-chap module fills in the nt-domain variable and all is good. However, host authentication fails... I need host authentication to facilitate password expiration messages and changes to keep everyone authenticating OK, and not getting locked out. I'm sure that someones dealt with this before, and so I'd be very grateful for feedback and help. What do I need to supply to ntlm_auth for a machine user name, the "host/machine.domain.local" style, or the "$machine$" style? And, is this a problem best solved by setting the ntlm_auth program variable based on unlang checks against an extracted realm? Or, is there another way to make this all behave? I've tryied using Alan's suggested line on the "how-to" on deployingradius.org, but the "if no nt-domain, use a manually entered default" bit seems to confuse host auth. Many thanks in advance for any help offered, Rupes
Hi,
We pass hostname$ to ntlm_auth by rewriting the User-Name attribute as follows:
attr_rewrite machine_UserName {
attribute = User-Name
searchin = packet
searchfor = "^host/(.*).domain.name"
replacewith = "%{1}$"
ignore_case = yes
new_attribute = no
max_matches = 1
append = no
}
To change from host/hostname.domain.name to hostname$. Then, include machine_UserName in the authorize and authenticate sections before mschap.
why? with recent versions of FreeRADIUS this just works(tm) with no rewriting needed - just ensure that the ntlm_auth line has the correct arguments and you have the ntdomain stuff turned on . we used to have all kinds of hacky stuff in our config...almost all of it is now wiped away with a small spattering of unlang here and there for utility alan
why? with recent versions of FreeRADIUS this just works(tm) with no rewriting needed - just ensure that the ntlm_auth line has the correct arguments and you have the ntdomain stuff turned on .
we used to have all kinds of hacky stuff in our config...almost all of it is now wiped away with a small spattering of unlang here and there for utility
How recent (probably newer than I'm running I'm guessing)? Also, are you saying that it "just works" by passing "host/hostname.domain.name" to ntlm_auth or that the newer versions have built-in unlang to mangle the name for you? Thanks Alan..
Hi, 2009/6/2 <A.L.M.Buxey@lboro.ac.uk>
why? with recent versions of FreeRADIUS this just works(tm) with no rewriting needed - just ensure that the ntlm_auth line has the correct arguments and you have the ntdomain stuff turned on .
I've tried, and can't make the default work. I've got three domains with users and machines in them. The default ntlm_auth line is fine for users, but it doesn't work for machines. If I leave --username=%{mschap:User-Name:-None} and --domain=%{mschap:NT-Domain:-DEFAULTDOMAIN} (obviously, default domain is moddified) in place then for users it's fine - the username and domain are filled in based on the details supplied by the MS supplicant. Machines fail though - even for machines that are in the "default domain".
If I follow the logic as supplied by Neil, and remove the "--domain" option then this works fine for all users in all domains, and machines in same domain that winbind was joined to, but not machines from remote domains. If I leave the "--domain" option in, then as the "host/" username doesn't contain the netbios version of the domain then "%{mschap:NT-Domain} " is unknown and the default domain is filled in, and this seems to break all machine authentication... External Program returns "Logon failure". I can't really see anyway to resolve this, other than moddifing the ntlm_auth line based on some unlang logic to cut out the uk, us, and au bit from the "X.mycompany.local" supplied domain name in the "host/" username. Is this even possible though?? Am I overlooking something here? Thanks, Rupert
Hi,
If I follow the logic as supplied by Neil, and remove the "--domain" option then this works fine for all users in all domains, and machines in same domain that winbind was joined to, but not machines from remote domains. If
ah! multiple remote domains - not in a forest of trust?
I can't really see anyway to resolve this, other than moddifing the ntlm_auth line based on some unlang logic to cut out the uk, us, and au bit from the "X.mycompany.local" supplied domain name in the "host/" username. Is this even possible though??
that could work....hmm something along the lines of if (%{User-Name} =~ /.domain.wanted/({ ntlm_auth blah blah --domain DOMAINWANTED } etc etc so ntlm_auth gets fired off with the right stuff...no playing with User-Name alan
Hi, 2009/6/2 <A.L.M.Buxey@lboro.ac.uk>
ah! multiple remote domains - not in a forest of trust?
All in the same Forest & Tree, yes - but it still appears to be unhappy as it can't work out which the domain the $PCNAME$ machine lives in.
I can't really see anyway to resolve this, other than moddifing the ntlm_auth line based on some unlang logic to cut out the uk, us, and au bit from the "X.mycompany.local" supplied domain name in the "host/" username. Is this even possible though??
that could work....hmm something along the lines of
if (%{User-Name} =~ /.domain.wanted/({ ntlm_auth blah blah --domain DOMAINWANTED }
etc etc so ntlm_auth gets fired off with the right stuff...no playing with User-Name
Sounds good - I'll give this logic a go... Where best to place this bit of Unlang? In the inner-tunnel Authorization stanza, before ms-chap? Would I need to repeat in the Authentication MS-CHAP bit too, or does it get set at the beginning of the "request session" and follow all the way though. Suppose I could just get on and try it out! Many thanks for your help. Rupert
Hi,
Sounds good - I'll give this logic a go... Where best to place this bit of Unlang? In the inner-tunnel Authorization stanza, before ms-chap? Would I need to repeat in the Authentication MS-CHAP bit too, or does it get set at the beginning of the "request session" and follow all the way though. Suppose I could just get on and try it out!
personally? I'd edit the mschap module (ie put it in there) and then name the module ie instead of mschap { at the top of the file, you put mschap yourname { and then, instead of 'mschap' in the inner-tunnel, you put 'yourname' - note, any call to mschap: in mschap or elsewhere would need to change to yourname: too. this way you can simply backup that module and swing it into place on whatever freeradius you like (recent version of course! ;-) ) alan
Hi, Following up from this, I think I've discovered what the real problem here is. I think there's a problem with the MS-CHAP module.... The module looks in the username to find "host/" at the beginning, and if it does then handles it differently. Whilst it sets the "username" section correctly, it doesn't set the "domain" section properly. ntlm_auth can handle both netbios and FQDN versions of a domain. For machine Auth, the mschap module works on the assumption that the first "DN=" bit of the FQDN is always the same as the netbios name - which in many situations it is, but not all the time. It should work on the logic of: "OK, I found a host/ at the beginning, so everything after the /host but before the first '.' + a '$' is the username of the machine, and *everything* after the first '.' is the domain name, not everything between the first and second periods is the domain name. My C programming isn't too hot, and so I'm not sure how to correct this logic - even though I think I've found it in source for rlm_mschap. Many Thanks, Rupert
Hi All, After a bit of investigation and playing, I've made some changes to the rlm_mschap module that seems to have fixed my problem. It now no longer "trims" the machine authentication domain name, and so based on the ntlm_auth line from Alan DeKok's How-To on deployingradius.org will handle both machine and user authentication from any Windows supplicant doing PEAP from any domain or child domain on my network. In theory, this should be applicable to all other MS Windows AD environments, regardless of their internal naming structure. Obviously, although with makes theoretical sense and works for my environment, it needs more testing... I've attached a patch based on the diff of my two source files. Many thanks to Alan Buxey and John Dennis for your help. Rupert
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Garber, Neal -
Rupert Finnigan