Freeradius, PEAP, Active Directory and --require-membership-of

tnt at kalik.net tnt at kalik.net
Fri Oct 3 20:43:11 CEST 2008 

Use:

--username=%{mschap:User-Name}

and it should work.

Ivan Kalik
Kalik Informatika ISP


Dana 3/10/2008, "Vieri" <rentorbuy at yahoo.com> piše:

>--- On Thu, 10/2/08, Vieri <rentorbuy at yahoo.com> wrote:
>
>> I'm running freeradius-2.0.5 on Linux.
>>
>> My setup is as follows:
>>
>> Windows Vista native client - Linksys AP - FreeRadius Linux
>> server (PEAP/mschapv2) - Active Directory Windows server
>>
>> Everything works smoothly with the following ntlm_auth
>> parameters in the mschap module:
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> However, user authentication is rejected when I add the
>> --domain parameter:
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --domain=%{mschap:NT-D
>> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> (from the Windows Vista client I obviously set the DOMAIN
>> filed; besides, if I run the freeradius daemon with debug
>> enabled I see that it "correclty" reeives
>> 'DOMAIN\username')
>>
>> For starters, I don't understand why authentication
>> fails if I add --domain. How can I find out why?
>>
>> Then, adding --require-membership-of with or without
>> --domain also fails.
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --domain=%{mschap:NT-D
>> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --require-membership-of='DOMAIN\\WIFI'
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> Finally, running ntlm_auth from the command line yields:
>>
>> # ntlm_auth --request-nt-key --domain=DOMAIN
>> --username=myuser
>> --require-membership-of='DOMAIN\\WIFI'
>> password:
>> NT_STATUS_OK: Success (0x0)
>
>I found this in the radiusd debug log:
>
>[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
>  Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!
>
>so I removed the '' in the ntlm_auth string like this:
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key  --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN --require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
>and now it works.
>
>So this leads me to ask how I can specify group names with spaces such as 'WIFI 1'.
>
>Also, I had to specify the domain explicitly either via --domain=DOMAIN or --domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication succeeds only if the client does NOT specify a domain in the domain or user field.
>So I'm attaching some debug outputs with the hope that someone can shed some light on this aspect which I obviously don't grasp.
>
>Thanks,
>
>Vieri
>
>
>
>
>

More information about the Freeradius-Users mailing list