Radius-based windows authentication
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 29 15:21:29 CEST 2008
Julien MIOTTE wrote:
>> 1. Using the windows native supplicant and machine account
>> authentication. Basically the process is this:
>> * machine powers on - no-one logged in
>> * machine uses its own domain account to login "host/$machinename"
>> * user presses ctrl+alt+del
>> * machine validates credentials to the domain controller, over the
>> current network connection
>> * machine downloads the users profile
>> * once the profile is download, the machine does an EAP-Logoff and
>> then re-authenticates using the user credentials
>> * when the user logs out, the machine does and EAP-Logoff and then
>> logs back in using the machine account
>
> Hi, I've been trying to do as you told me.
There's no need to CC me. I read the list.
> Using the native supplicant and MSCHAPv2 on PEAP, the machine sends now it's
> own credentials. My problem is that the login is sent with the
> prefix "host/". In my LDAP, the entry of the machine is machine_name$.
>
> I tried to fix this trough various ways, and I succeded by adding an entry in
> the hint file :
> DEFAULT Prefix == "host/", Strip-User-Name = "Yes"
>
> and by changing the filter in the LDAP section :
> filter="(uid=%{Stripped-User-Name:-%{User-Name}})"
> to
> filter="(uid=%{Stripped-User-Name:-%{User-Name}}$)"
>
> Now the authorization works fine, but when the authenticate section is
> processed, the debug prints this :
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
>
> Am I doing all of this right ?
>
There's a better way; use the mschap module expansion function, which
will both strip and suffix for you:
filter = "(uid=%{mschap:User-Name})"
More information about the Freeradius-Users
mailing list