Could'nt authenticate windows host account with freeradius + ldap backend + samba domain controller

david.barbion at adeoservices.com david.barbion at adeoservices.com
Fri Dec 14 11:07:27 CET 2007


Hello,


We have a Samba domain controller (3.0.9) with freeradius on it and 
several windows XP SP2 workstations attached to it.
Actually, this wired setup is working correctly.

We are planning to use wifi on those workstations but we encounters many 
problems.

Here our wifi setup:
Our APs are cisco 12xx, WPA/PEAP/MSCHAPV2 + 802.1x to the 
Samba/freeradius servers.
Samba is configured to use LDAP as a backend to store its accounts 
(computers/users/groups).

On the XP workstations, we use its own supplicant.

Freeradius version 1.1.7 is configured to authorize computers and users 
from ldap and the authentication is made in mschapv2 through eap.

The user authentication is working but not the computer and we must have 
this to work so that if the computer is switched on and nobody logged 
in, it can even have access to the network (for applying nightly updates 
for examples).

The problem is when a computer tries to authenticate, the User-Name sent 
is "host//computername/", but in ldap we have entrie like 
/computername/$. So we have some attr_rewrite that removes host/ and 
adds the dollar sign. rlm_ldap finds correctly the entry, but EAP 
complains about the user name change: "*rlm_eap: Identity does not match 
User-Name, setting from EAP Identity.**
  rlm_eap: Failed in handler"

*Is there an existing solution to our problem ?*
*

Thanks in advance for any response.

PS: a join the log where you can see what happends, the radiusd.conf and 
an example computer account (in ldif format)



Ce message et toutes les pièces jointes sont établis à l'attention exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce message, le contenu de ce message ne représente en aucun cas un engagement de la part de Adeo Services.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.log
Type: text/x-log
Size: 13945 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071214/309f5217/attachment.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd.conf
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071214/309f5217/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dell.ldif
Type: text/x-ldif
Size: 653 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071214/309f5217/attachment-0001.bin>


More information about the Freeradius-Users mailing list