Accept both machine auth and user with domain auth
Hello, I am trying to configure freeradius to accept either machine auth (using host/<user>.<domain>) or user authentication (user@domain when they come from Eduroam). Previously I had in the mschap module for the ntlm_auth:- "--username=%{mschap:User-Name}" Which works fine for users without domains and machine authentication. For Eduroam, because they have the domain included, I decided to replace mschap:User-Name with %{Stripped-User-Name} which works except it broke machine authentication. While researching this issue, I came across a configuration for ntlm_auth using the following:- "--username-=%{%{Stripped-User-Name}:-%{mschap:User-Name}}" Which I assume means if Stripped-User-Name is null, then use mschap:User-Name? I do not understand what I would need to do to achieve this. Would I need to set 'nostrip' under the realm for the domain of that user authenticating? Cheers, - Trevor
On Sun, Jun 26, 2016 at 05:11:55PM -0400, Trevor Jennings wrote:
Which I assume means if Stripped-User-Name is null, then use mschap:User-Name?
Yes
I do not understand what I would need to do to achieve this. Would I need to set 'nostrip' under the realm for the domain of that user authenticating?
I would use unlang to see if the User-Name matches "^host/", and if so call a different instantiation of mschap configured for machine auth instead, rather than trying to configure one instance of mschap to magically work with both. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I would use unlang to see if the User-Name matches "^host/", and if so call a different instantiation of mschap configured for machine auth instead, rather than trying to configure one instance of mschap to magically work with both.
+1 we do similar to that ....for eduroam...not sure what that Eduroam is ;) alan
Ha, thanks mate... I meant eduroam :) When I use the unlang condition to check for host in the User-Name, would it go under 'sites-enabled/default' authenticate section? Thanks for your help. Cheers, - Trevor On Sun, Jun 26, 2016 at 6:10 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
I would use unlang to see if the User-Name matches "^host/", and if so call a different instantiation of mschap configured for machine auth instead, rather than trying to configure one instance of mschap to magically work with both.
+1 we do similar to that ....for eduroam...not sure what that Eduroam is ;)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
When I use the unlang condition to check for host in the User-Name, would it go under 'sites-enabled/default' authenticate section?
if thats the main virtual server that requests go through - then yes. would advise that you create your own virtual servers and have the relevant client definitions pointing to them - allowing you trivial isolation of different policies (eg for eduroam, put requests form national proxies straight through a minimal virtual server that starts with permit_only_eap and then just auths - with pap,mschap,etc etc all removed in the outer...and only the required EAP method in inner. no VLAN assign etc etc. then your internal virtual server (for host auth/user auth etc) can have all this stuff for internal requirements... alan
Hello, Thanks guys for your help on this!! I configured 2 instances of mschap, one for machine auth and the other for users and called the machine auth one based on the user name containing 'host'. Everything works well now :) And the virtual servers is a good idea! Cheers, - Trevor On Mon, Jun 27, 2016 at 4:31 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
When I use the unlang condition to check for host in the User-Name, would it go under 'sites-enabled/default' authenticate section?
if thats the main virtual server that requests go through - then yes. would advise that you create your own virtual servers and have the relevant client definitions pointing to them - allowing you trivial isolation of different policies (eg for eduroam, put requests form national proxies straight through a minimal virtual server that starts with permit_only_eap and then just auths - with pap,mschap,etc etc all removed in the outer...and only the required EAP method in inner. no VLAN assign etc etc. then your internal virtual server (for host auth/user auth etc) can have all this stuff for internal requirements...
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Matthew Newton -
Trevor Jennings -
Trevor Jennings