NTLM Auth Help

Rupert Finnigan rupert.finnigan at googlemail.com
Mon Jun 1 20:59:00 CEST 2009

Hi All,

Wander if someone can help me resolve a problem I'm experiencing....

I'm using FreeRADIUS to provide AAA for 802.1X for wireless in a number of
sites. It doesn't need to be 100% up all the time, and so I've got one
server back in our central site that handles all the requests over our
site-to-site VPNs.

The users are stored in either AD, or SQL. SQL is fine, and I've modified
the queries to suit my environment. My real problem is with the AD.... I can
get it to authenticate users no problems, but not machines. I've got three
AD domains I have users in that I need to authenticate: WB-UK, WB-US &
WB-AU. These are sub-domains of WB-ROOT, which has no users and is there
simple to provide trusts etc.

All my users can authenticate fine, as the ms-chap module fills in the
nt-domain variable and all is good. However, host authentication fails... I
need host authentication to facilitate password expiration messages and
changes to keep everyone authenticating OK, and not getting locked out.

I'm sure that someones dealt with this before, and so I'd be very grateful
for feedback and help. What do I need to supply to ntlm_auth for a machine
user name, the "host/machine.domain.local" style, or the "$machine$" style?
And, is this a problem best solved by setting the ntlm_auth program variable
based on unlang checks against an extracted realm? Or, is there another way
to make this all behave? I've tryied using Alan's suggested line on the
"how-to" on deployingradius.org, but the "if no nt-domain, use a manually
entered default" bit seems to confuse host auth.

Many thanks in advance for any help offered,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090601/7a27ec1e/attachment.html>

More information about the Freeradius-Users mailing list