Can Radius pass client ip details to Windows AD during ntlm authentication ?.
Can Radius Server pass client ip details to Windows AD during ntlm authentication ?. Here is the scenario, WirelessLanController is configured to provide access only after authenticating using Radius. Radius server is configured for WPA2 Enterprise with Active Directory integration using samba/winbind (ntlm_auth). I can login to the wireless network using AD username and password. The trouble is, AD doesn't know my real ip. It shows my username, Radius server IP and system name when searching for details. Thanks Eby
On Mar 12, 2016, at 12:14 PM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Can Radius Server pass client ip details to Windows AD during ntlm authentication ?.
No.
Here is the scenario, WirelessLanController is configured to provide access only after authenticating using Radius. Radius server is configured for WPA2 Enterprise with Active Directory integration using samba/winbind (ntlm_auth).
I can login to the wireless network using AD username and password. The trouble is, AD doesn't know my real ip. It shows my username, Radius server IP and system name when searching for details.
AD shows the IP that the login request came from. In this case, that's the RADIUS server. There is no way I know to pass more information in the login request. Alan DeKok.
On Mar 13, 2016 8:04 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
On Mar 12, 2016, at 12:14 PM, Eby Mani via Freeradius-Users <
freeradius-users@lists.freeradius.org> wrote:
Can Radius Server pass client ip details to Windows AD during ntlm
authentication ?.
No.
Here is the scenario, WirelessLanController is configured to provide access only after authenticating using Radius. Radius server is configured for WPA2 Enterprise with Active Directory integration using samba/winbind (ntlm_auth).
I can login to the wireless network using AD username and password. The trouble is, AD doesn't know my real ip. It shows my username, Radius server IP and system name when searching for details.
AD shows the IP that the login request came from. In this case, that's the RADIUS server.
There is no way I know to pass more information in the login request.
One thing you could always do is use the post-auth function of the ldap module to write the last ip address used into another ldap attribute. It's not exactly the same as passing it in the auth. But may achieve the same outcome. I however would use the linelog module and log the event that way rather than writing it into AD.
Alan DeKok.
- List info/subscribe/unsubscribe? See
On Sat, Mar 12, 2016 at 05:14:38PM +0000, Eby Mani via Freeradius-Users wrote:
I can login to the wireless network using AD username and password. The trouble is, AD doesn't know my real ip. It shows my username, Radius server IP and system name when searching for details.
Look at the logs on the RADIUS server. The AD ones will be next to useless. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
802.1x authentication happens without an IP address. Only MAC addresses on used between the station and the access point. So there is no IP information to transfer. Once connected, the station may have a fixed IP, or hopefully use DHCP, but the authentication has long passed, and those transactions are outside of RADIUS. Dave. Quoting Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org>:
Can Radius Server pass client ip details to Windows AD during ntlm authentication ?.
Here is the scenario, WirelessLanController is configured to provide access only after authenticating using Radius. Radius server is configured for WPA2 Enterprise with Active Directory integration using samba/winbind (ntlm_auth).
I can login to the wireless network using AD username and password. The trouble is, AD doesn't know my real ip. It shows my username, Radius server IP and system name when searching for details.
Thanks Eby - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eby Mani wrote:
Can Radius Server pass client ip details to Windows AD during ntlm authentication ?.
Here is the scenario, WirelessLanController is configured to provide access only after authenticating using Radius. Radius server is configured for WPA2 Enterprise with Active Directory integration using samba/winbind (ntlm_auth).
I can login to the wireless network using AD username and password. The trouble is, AD doesn't know my real ip. It shows my username, Radius server IP and system name when searching for details.
The IP address of the host is not known until well after the NTLM authentication takes place. DHCP happens after the authentication -- nothing knows the IP until this point. Even with static IP addresses, the first IP packet, or even ARP, is not sent until after the authentication completes, so only the client will know it. What you may be able to do is set up the WiFi controller to send accounting packets when it discovers the IP, which includes the username, then shell out to a script to do something to inject log entries into the AD server. However hey could not be NTLM authentication logs, because at that point, the RADIUS server no longer has the NTLM challenge/response so it cannot pretend to be the user anymore. Another possibility is if you are in an environment where you could set up a secondary layer of encryption with IPSEC on the clients, as an authentication to an IPSEC RAS would indeed know the IP adress. However, this would still appear to come from the IPSEC RAS's IP unless windows authentication has a method to record a supplementary IP.
On 12 Mar 2016, at 17:14, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Can Radius Server pass client ip details to Windows AD during ntlm authentication ?.
dot1X authentication before network access has been granted. Therefore the client won’t DHCP until after 802.1X authentication has succeeded.
Here is the scenario, WirelessLanController is configured to provide access only after authenticating using Radius.
This is how 802.1X is designed the client isn’t granted network access until it has been authorised.
Radius server is configured for WPA2 Enterprise
RADIUS is configured for EAP Authentication, WPA2 Enterprise is how your wireless network is configured.
with Active Directory integration using samba/winbind (ntlm_auth).
I can login to the wireless network using AD username and password. The trouble is, AD doesn't know my real ip. It shows my username, Radius server IP and system name when searching for details.
The best you can do is configure your wireless to send RADIUS accounting with interim updates. If your wireless system is sensible it should send an interim update whenever the client IP Address changes. This also assumes you have configured your wireless to enforce DHCP (which doesn’t always work so well as different manufacturers read the RFC for DNAv4 differently). Of course you still need some way of taking the information from the RADIUS accounting and passing this on to the AD. Regards Scott Armitage
participants (7)
-
Alan DeKok -
Brian Julin -
David Mitton -
Eby Mani -
Matthew Newton -
Peter Lambrechtsen -
Scott Armitage