Machine Authentication and Active Directory group lookups

Graham, Robert rgraham at
Tue Jan 18 22:11:04 CET 2011

Hello all,

I have FreeRadius v 2.1.10 installed and configured to authenticate
users against Active Directory using PEAP/MSChapV2 and perform Group
membership lookups via the ldap module so that I can configure radius
reply attributes to provide VLAN assignment and Dymanic ACL's.  All is
working extremely well, but one item that I would also like to get
working is the Machine Authentication.    Machine Authentication is
working with the exception of the ldap group lookup.  From what I can
tell, when the machine authenticates, the ntlm_auth knows that the
request is a Machine Authentication and appends the $ to the end of the
username for the sAMAccountName:

# Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[inner-eap] Request found, released from the list
[inner-eap] EAP/mschapv2
[inner-eap] processing type mschapv2
[mschapv2] # Executing group from file
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/
[mschap] Told to do MS-CHAPv2 for host/lab.XXXX.XXX with NT-Password
[mschap]        expand: --username=%{mschap:User-Name:-None} ->
[mschap]  mschap2: 78
[mschap] Creating challenge hash with username: host/lab.XXXX.XXX
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
Exec-Program output: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF
Exec-Program-Wait: plaintext: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success

Since I am using:

filter = "(&(sAMAccountName=%{mschap:User-Name}))" in the ldap module,
FreeRadius is trying to do a group lookup on: lab$ which is not found in
any Active Directory groups:

# Executing section post-auth from file
+- entering group post-auth {...}
  [ldap] Entering ldap_groupcmp()
[files]         expand: ou=XXXX,dc=XXXX,dc=XXX -> ou=XXXX,dc=XXXX,dc=XXX
[files]         expand: (&(sAMAccountName=%{mschap:User-Name})) ->
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=XXXX,dc=XXXX,dc=XXX, with filter
  [ldap] object not found

Is it possible to remove the "$" from the sAMAccountName in the LDAP
module without breaking the User Authentication?

Robert Graham

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list