Machine Authentication and Active Directory group lookups

Graham, Robert rgraham at mem-ins.com
Tue Jan 18 22:11:04 CET 2011 

Hello all,

I have FreeRadius v 2.1.10 installed and configured to authenticate
users against Active Directory using PEAP/MSChapV2 and perform Group
membership lookups via the ldap module so that I can configure radius
reply attributes to provide VLAN assignment and Dymanic ACL's.  All is
working extremely well, but one item that I would also like to get
working is the Machine Authentication.    Machine Authentication is
working with the exception of the ldap group lookup.  From what I can
tell, when the machine authenticates, the ntlm_auth knows that the
request is a Machine Authentication and appends the $ to the end of the
username for the sAMAccountName:


# Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[inner-eap] Request found, released from the list
[inner-eap] EAP/mschapv2
[inner-eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr//etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/lab.XXXX.com
[mschap] Told to do MS-CHAPv2 for host/lab.XXXX.XXX with NT-Password
[mschap]        expand: --username=%{mschap:User-Name:-None} ->
--username=lab$
[mschap]  mschap2: 78
[mschap] Creating challenge hash with username: host/lab.XXXX.XXX
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=a9c34f78fae78fd0
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=961d047adaedc84346d00fcd2a0a67139ff4a95c9e13ae61
Exec-Program output: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF
Exec-Program-Wait: plaintext: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success


Since I am using:

filter = "(&(sAMAccountName=%{mschap:User-Name}))" in the ldap module,
FreeRadius is trying to do a group lookup on: lab$ which is not found in
any Active Directory groups:

# Executing section post-auth from file
/usr//etc/raddb/sites-enabled/default
+- entering group post-auth {...}
  [ldap] Entering ldap_groupcmp()
[files]         expand: ou=XXXX,dc=XXXX,dc=XXX -> ou=XXXX,dc=XXXX,dc=XXX
[files]         expand: (&(sAMAccountName=%{mschap:User-Name})) ->
(&(sAMAccountName=lab$))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=XXXX,dc=XXXX,dc=XXX, with filter
(&(sAMAccountName=lab$))
  [ldap] object not found


Is it possible to remove the "$" from the sAMAccountName in the LDAP
module without breaking the User Authentication?

Thanks
Robert Graham



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110118/889a1ee0/attachment.html>

More information about the Freeradius-Users mailing list