Host-based auth against AD - MOSTLY SOLVED (was: New User and AD Question)

McNutt, Justin M. McNuttJ at
Wed Mar 2 21:33:56 CET 2011

> I think you'll have to do that. The tedious bit is matching 
> the domains in the regexps.
> My advice would be to define a local, internal-only attribute in 
> /etc/raddb/dictionary:
> ATTRIBUTE	My-NT-Domain	3003	string


> ...then in your ntlm_auth helper, do:
>   ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."

Done.  Works:

[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap]        expand: --domain=%{} ->

(We'll get back to that "deprecated conditional" part later, assuming it's not part of the problem.)

> ...and set this in your regexps:
> if (User-Name =~ /host[/].+[.] {
>    update request {
>      My-NT-Domain = "DOMAIN.COM"
>    }
> }
> elsif (...) {
> }

I had this whole long e-mail about how it wasn't working yet the way I expected and wasn't matching all the time and blah blah blah.  I was copying some more stuff out of the debug output to paste in here when I saw this:

Sending tunneled request
        EAP-Message = 0x0208002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475
        FreeRADIUS-Proxied-To =
        User-Name = "host/"
server campus-inner-tunnel {
+- entering group authorize {...}

... "campus-inner-tunnel" ...  I'm working on the wrong virtual server!  I mean, the variables were getting matched and modified, but only on the outer tunnel (campus-eap)!  Curses!

So I moved (*moved*, not *copied*) the "if User-Name =~ /stuff/" block to the 'campus-inner-tunnel' virtual server's config just after the "suffix" and "ntdomain" items are called, and bingo!  My-NT-Domain is set correctly and the host is able to get in.

NOTE:  This successful test was done AFTER the output you see above that references "".  The domain "" is a valid domain here, but there are no computers in it.  I was using that domain so I could see if the expansion was working, not getting modified, or what.  It also means that it won't work by accident due to my defaults.  It all has to work or it breaks.  So I now KNOW that this stuff you guys have been helping me set up works THE WAY WE ALL THINK IT SHOULD, not just by accident.  Totally awesome.

I may set up the eventual production box to have a more tolerant default, but this was perfect for testing.  We'll see.

Anyway, now that this part is working, I'm going to double-check that I haven't now broken user-based auth.  If not, I'm going to try to re-write the pattern match to actually pull the domain name out as %{1} so it works for all domains using one bit of code, rather than hard-coding in every domain I deem as "valid".

Whatever it ends up working, I'll respond back to the list, since it sounds like at least one other person was interested in making this work soon.

Thanks very much for all the help, everyone.  This has been enlightening.


More information about the Freeradius-Users mailing list