Re: domain security problem
here is the debug: (user-test- who is not in domain
Well, he was found in AD. And in that domain. And with correct password.
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=TEST [mschap] expand: --username=%{mschap:User-Name} -> --username=test [mschap] mschap2: 10
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ad923676ac4c1b76 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff5 Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success
Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
here is the debug: (user-test- who is not in domain
Well, he was found in AD. And in that domain. And with correct password.
certainly, hi is in the AD it is correct, the problem is the domain win send the - DOMAIN\username if it is in domain, - HOSTNAME\username if it is not in domain (only workgroup) but when i set TEST(my domain) as hostname (it still not in domain), it will send this and freeradius think it is correct. how can I config the freeradius to reject auth, when it is not in domain(but send domain name as hostname) like: ntdomain or something proxy.conf modification or hack, i have no idea what is the solution.
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=TEST [mschap] expand: --username=%{mschap:User-Name} -> --username=test [mschap] mschap2: 10
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ad923676ac4c1b76 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff5 Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certainly, hi is in the AD it is correct,
the problem is the domain
win send the - DOMAIN\username if it is in domain, - HOSTNAME\username if it is not in domain (only workgroup)
but when i set TEST(my domain) as hostname (it still not in domain), it will send this and freeradius think it is correct.
how can I config the freeradius to reject auth, when it is not in domain(but send domain name as hostname)
like: ntdomain or something proxy.conf modification or hack, i have no idea what is the solution.
There is no problem with the user. User is in the AD. Your problem is with the machine. How did the machine get access onto the network? If you don't control computer accounts there is no way to prevent this. If you allow users to plug in any machine into the network and you don't control at least mac address ... Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
certainly, hi is in the AD it is correct,
the problem is the domain
win send the - DOMAIN\username if it is in domain, - HOSTNAME\username if it is not in domain (only workgroup)
but when i set TEST(my domain) as hostname (it still not in domain), it will send this and freeradius think it is correct.
how can I config the freeradius to reject auth, when it is not in domain(but send domain name as hostname)
like: ntdomain or something proxy.conf modification or hack, i have no idea what is the solution.
There is no problem with the user. User is in the AD. Your problem is with the machine. How did the machine get access onto the network?
If you don't control computer accounts there is no way to prevent this. If you allow users to plug in any machine into the network and you don't control at least mac address ...
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It is bad news, you say check mac address too no way reject it simple without mac... thank you
It is bad news, you say check mac address too no way reject it simple without mac...
How much simpler can you get? You say that it is a problem that a user with AD account gets access from an unauthorized machine. The only answer is to check machine credentials. mac filtering is the simplest thing you could posssibly do. People who consider this a real problem use machine certificates. Or NAC. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
It is bad news, you say check mac address too no way reject it simple without mac...
How much simpler can you get? You say that it is a problem that a user with AD account gets access from an unauthorized machine. The only answer is to check machine credentials. mac filtering is the simplest thing you could posssibly do. People who consider this a real problem use machine certificates. Or NAC.
Ivan Kalik Kalik Informatika ISP
I just thought there is a setting which is usefull to differentiate the HOST/username and DOMAIN/username Thank you Gabor
tnt@kalik.net wrote:
I just thought there is a setting which is usefull to differentiate the HOST/username and DOMAIN/username
OK. Lets try. What is SOMETHING in SOMETHING\username - HOST or DOMAIN? If you can't tell ...
Ivan Kalik Kalik Informatika ISP
okay I understand, i just thought we have other informations, but i see no. thank you, ans sorry for this foolish question. bye Gabor
I just thought there is a setting which is usefull to differentiate the HOST/username and DOMAIN/username
OK. Lets try. What is SOMETHING in SOMETHING\username - HOST or DOMAIN? If you can't tell ...
Ivan Kalik Kalik Informatika ISP
okay I understand, i just thought we have other informations, but i see no.
But you *do* have other information. Just not in the User-Name. You can do checks on the mac address that comes in Calling-Station-Id. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Hegedus Gabor -
tnt@kalik.net