question about windows users

Ivan Kalik tnt at kalik.net
Thu May 14 12:54:59 CEST 2009


> I have freeradius with eap support on debian etch, radius v1.1.3

2.0.4 should be available for Debian. Upgrade. Vista doesn't work with
1.1.3. And you will have problems with XP SP3.

> "everthing" working fine but I'd like to have much more simple
> configuration
> only by certificate and nothing more,
> so I have few question:
>
> 1.
> fragment of my log first, before question
> Listening on authentication *:1812
> Listening on accounting *:1813
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182,
> length=159
>         NAS-IP-Address = 192.168.5.206
>         NAS-Port = 50046
>         NAS-Port-Type = Ethernet
>         User-Name = "PC-01\\Administrator"
>         Called-Station-Id = "00-0C-30-81-9B-EE"
>         Calling-Station-Id = "00-0A-E4-13-1A-02"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         EAP-Message =
> 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72
>         Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up
> realm
> NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>
> my users file contain:
> "PC-01\\Administrator" User-Password == "passwd"
>
> how can I avoid this value PC-01 ?, its really annoying, I would like to
> have only real user, PC-01 is "my computer -> properties -> computer name
> ->
> full computer name". I would like to have only username (with no matter of
> case sensitive).

1. Don't use windows logon name. Untick that when you are making the
connection.

2. You can't strip username in EAP. Use ntdomain. It's listed but
commented out in default configuration.

> sth like
> "administrator" User-Password == "passwd"
>

For that to work add domain bit as local realm to proxy.conf.

> 2.
> I would like to use only certificate to check wheter or not some computer
> should have network connection,
> I dont care about login or password,
> if client has a valid cacert.pem installed on pc (windows xp) it should
> grant acces to network, is it possible to do that?

Use EAP-TLS to connect (Smart card or certificate in Windows speak).

> 3.
> when I read log from freeradius -X I see that one pc need to have
> 7requests
> in freeradius and in 8-th request is accepted, is it ok?
>

Yes.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list