Are possible multiple ntdomain realms??????
And if they are, what efect has with_ntdomain_hack=yes. Does it affect to all?? Well, Hi you all I hope haven't been too direct ;) I'll getting more troubles as I do more complex configurations. I ask this because first I had to authenticate users by machine authentication. The users in this case sends User-Name like host/username and the only way I found for working this out was to use ntdomain realm with "/" as the delimiter and enable with_ntdomain_hack. The other options stripes the User-Name but then packets doesn't match EAP-Identity ( at least one of them ), that is why I used ntdomain, for being able to use with_ntdomain_hack. Now I've got pda-users that sends domain\username and if I don't use ntdomain & with_ntdomain_hack it fails. So, that's why I ask if multiple ntdomains are allowed and how. Any method or idea will be welcome. Thanks
wekz wrote:
And if they are, what efect has with_ntdomain_hack=yes. Does it affect to all??
Well, Hi you all I hope haven't been too direct ;)
I'll getting more troubles as I do more complex configurations.
I ask this because first I had to authenticate users by machine authentication. The users in this case sends User-Name like host/username and the only way I found for working this out was to use ntdomain realm with "/" as the delimiter and enable with_ntdomain_hack. The other options stripes the User-Name but then packets doesn't match EAP-Identity ( at least one of them ), that is why I used ntdomain, for
Yes, this is a pain. The correct thing to do is below
being able to use with_ntdomain_hack.
FreeRadius 1.1.0 has code to do this for you - it will take names of the form "host/blah" and turn them into "blah$" *IF* you are using the "%{mschap:User-Name}" expansion. The "%{User-Name}" is left alone, meaning EAP carries on working.
Now I've got pda-users that sends domain\username and if I don't use ntdomain & with_ntdomain_hack it fails. So, that's why I ask if multiple ntdomains are allowed and how.
Again, this is annoying. The best way I've found is to have this: proxy.conf (contains only "real" domains) realm THEDOMAINNAME { type = radius authhost = LOCAL accthost = LOCAL # see [1] for strip strip } realm DEFAULT { type = radius authhost = LOCAL accthost = LOCAL # see [1] for strip strip } realm NULL { type = radius authhost = LOCAL accthost = LOCAL # see [1] for strip strip } radiusd.conf (portions omitted): modules { mschap { authtype = MS-CHAP with_ntdomain_hack = yes # this all goes on one line # see [2] for mschap:User-Name ntlm_auth = "/path/ntlm_auth --request-nt-key \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}" } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } } authorize { preprocess ntdomain eap mschap } The various bits ensure: 1. "strip" in the realms means there is always a realm-free "%{Stripped-User-Name}" variable, useful for e.g. LDAP/file/SQL searches. 2. The "with_ntdomain_hack" create an mschap:User-Name variable which will always have the domain stripped correctly - "dom\user" goes to "user", and "host/machine" goes to "machine$"
Any method or idea will be welcome.
Thanks
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you Phil. I didn't have time to test it yet. I had to install a previous release so I modified the cb.c function. I know what I've done is awful but it was a extreme solution. I'll test yours next week and reinstall the server as soon as posible. Thanks again 2006/6/7, Phil Mayers <p.mayers@imperial.ac.uk>:
wekz wrote:
And if they are, what efect has with_ntdomain_hack=yes. Does it affect to all??
Well, Hi you all I hope haven't been too direct ;)
I'll getting more troubles as I do more complex configurations.
I ask this because first I had to authenticate users by machine authentication. The users in this case sends User-Name like host/username and the only way I found for working this out was to use ntdomain realm with "/" as the delimiter and enable with_ntdomain_hack. The other options stripes the User-Name but then packets doesn't match EAP-Identity ( at least one of them ), that is why I used ntdomain, for
Yes, this is a pain. The correct thing to do is below
being able to use with_ntdomain_hack.
FreeRadius 1.1.0 has code to do this for you - it will take names of the form "host/blah" and turn them into "blah$" *IF* you are using the "%{mschap:User-Name}" expansion. The "%{User-Name}" is left alone, meaning EAP carries on working.
Now I've got pda-users that sends domain\username and if I don't use ntdomain & with_ntdomain_hack it fails. So, that's why I ask if multiple ntdomains are allowed and how.
Again, this is annoying.
The best way I've found is to have this:
proxy.conf (contains only "real" domains)
realm THEDOMAINNAME { type = radius authhost = LOCAL accthost = LOCAL # see [1] for strip strip }
realm DEFAULT { type = radius authhost = LOCAL accthost = LOCAL # see [1] for strip strip }
realm NULL { type = radius authhost = LOCAL accthost = LOCAL # see [1] for strip strip }
radiusd.conf (portions omitted):
modules { mschap { authtype = MS-CHAP with_ntdomain_hack = yes # this all goes on one line # see [2] for mschap:User-Name ntlm_auth = "/path/ntlm_auth --request-nt-key \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}" }
realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } }
authorize { preprocess ntdomain eap mschap }
The various bits ensure:
1. "strip" in the realms means there is always a realm-free "%{Stripped-User-Name}" variable, useful for e.g. LDAP/file/SQL searches.
2. The "with_ntdomain_hack" create an mschap:User-Name variable which will always have the domain stripped correctly - "dom\user" goes to "user", and "host/machine" goes to "machine$"
Any method or idea will be welcome.
Thanks
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Phil Mayers -
wekz