machine authentication

Michael Messner michael.messner_edv at
Wed Nov 15 17:07:43 CET 2006

ok, now the normal authentication process works again!

normally our config from the ldap request looks like the following:


basedn = "CN=Users,DC=isalab,DC=local"
filter = "sAMAccountName=%{Stripped-User-Name:-%{User-Name})"
groupname_attribute = cn
groupmembership_filter =
groupmembership_attribute = memberOf

DEFAULT LDAP-Group == "CN=adminrole,CN=users,DC=isalab,DC=local",
Huntgroup-Name == "enterasys", Realm == ISALAB.local
        Filter-ID == "Enterasys:version=1:mgmt=su:policy=adminrole",
        Reply-Message = "Welcome %{Stripped-User-Name:-%{User-Name:-None}}
in the %{Realm} - Domain, there are no restrictions for you in
this network",
        Fall-Through = No

with this config we get the groupmembership from the users and we can
give the filter-ID back to the switches.

But with machine authentication it looks a bit different!
first the DC ist Computers, no more users, then the sAMAccountName is for
example IT88$ and freeradius gives the name host/it88.isalab.local to the
AD, but this name stands in the servicePrincipalName!
also there is no memberOf any more at the device!

any ideas this is can be done?

ca mIke

More information about the Freeradius-Users mailing list