Could'nt authenticate windows host account with freeradius + ldap backend + samba domain controller
david.barbion at adeoservices.com
david.barbion at adeoservices.com
Fri Dec 14 11:07:27 CET 2007
Hello,
We have a Samba domain controller (3.0.9) with freeradius on it and
several windows XP SP2 workstations attached to it.
Actually, this wired setup is working correctly.
We are planning to use wifi on those workstations but we encounters many
problems.
Here our wifi setup:
Our APs are cisco 12xx, WPA/PEAP/MSCHAPV2 + 802.1x to the
Samba/freeradius servers.
Samba is configured to use LDAP as a backend to store its accounts
(computers/users/groups).
On the XP workstations, we use its own supplicant.
Freeradius version 1.1.7 is configured to authorize computers and users
from ldap and the authentication is made in mschapv2 through eap.
The user authentication is working but not the computer and we must have
this to work so that if the computer is switched on and nobody logged
in, it can even have access to the network (for applying nightly updates
for examples).
The problem is when a computer tries to authenticate, the User-Name sent
is "host//computername/", but in ldap we have entrie like
/computername/$. So we have some attr_rewrite that removes host/ and
adds the dollar sign. rlm_ldap finds correctly the entry, but EAP
complains about the user name change: "*rlm_eap: Identity does not match
User-Name, setting from EAP Identity.**
rlm_eap: Failed in handler"
*Is there an existing solution to our problem ?*
*
Thanks in advance for any response.
PS: a join the log where you can see what happends, the radiusd.conf and
an example computer account (in ldif format)
Ce message et toutes les pièces jointes sont établis à l'attention exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce message, le contenu de ce message ne représente en aucun cas un engagement de la part de Adeo Services.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.log
Type: text/x-log
Size: 13945 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071214/309f5217/attachment.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd.conf
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071214/309f5217/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dell.ldif
Type: text/x-ldif
Size: 653 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071214/309f5217/attachment-0001.bin>
More information about the Freeradius-Users
mailing list