NTLM Auth Help

Garber, Neal Neal.Garber at energyeast.com
Tue Jun 2 15:37:23 CEST 2009

We pass hostname$ to ntlm_auth by rewriting the User-Name attribute as


        attr_rewrite machine_UserName {

               attribute = User-Name

               searchin = packet

               searchfor = "^host/(.*).domain.name"

               replacewith = "%{1}$"

               ignore_case = yes

               new_attribute = no

               max_matches = 1

               append = no



To change from host/hostname.domain.name to hostname$.  Then, include
machine_UserName in the authorize and authenticate sections before



freeradius-users-bounces+neal.garber=energyeast.com at lists.freeradius.org
[mailto:freeradius-users-bounces+neal.garber=energyeast.com at lists.freera
dius.org] On Behalf Of Rupert Finnigan
Sent: Monday, June 01, 2009 2:59 PM
To: FreeRadius users mailing list
Subject: NTLM Auth Help


Hi All,


Wander if someone can help me resolve a problem I'm experiencing....


I'm using FreeRADIUS to provide AAA for 802.1X for wireless in a number
of sites. It doesn't need to be 100% up all the time, and so I've got
one server back in our central site that handles all the requests over
our site-to-site VPNs.


The users are stored in either AD, or SQL. SQL is fine, and I've
modified the queries to suit my environment. My real problem is with the
AD.... I can get it to authenticate users no problems, but not machines.
I've got three AD domains I have users in that I need to authenticate:
WB-UK, WB-US & WB-AU. These are sub-domains of WB-ROOT, which has no
users and is there simple to provide trusts etc.


All my users can authenticate fine, as the ms-chap module fills in the
nt-domain variable and all is good. However, host authentication
fails... I need host authentication to facilitate password expiration
messages and changes to keep everyone authenticating OK, and not getting
locked out.


I'm sure that someones dealt with this before, and so I'd be very
grateful for feedback and help. What do I need to supply to ntlm_auth
for a machine user name, the "host/machine.domain.local" style, or the
"$machine$" style? And, is this a problem best solved by setting the
ntlm_auth program variable based on unlang checks against an extracted
realm? Or, is there another way to make this all behave? I've tryied
using Alan's suggested line on the "how-to" on deployingradius.org, but
the "if no nt-domain, use a manually entered default" bit seems to
confuse host auth.


Many thanks in advance for any help offered,



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090602/aa511963/attachment.html>

More information about the Freeradius-Users mailing list