Host-based auth against AD - MOSTLY SOLVED (was: New User and AD Question)

McNutt, Justin M. McNuttJ at missouri.edu
Wed Mar 2 22:47:25 CET 2011


Holy crap, it works!  I spent some time un-doing as many of the other changes as I could find (that is, anything that deviates from the default and isn't shown below).  So what follows should be everything needed to make this work.

STEP 1:  CUSTOM ATTRIBUTE
=========================
> My advice would be to define a local, internal-only attribute in /etc/raddb/dictionary:
> ATTRIBUTE	My-NT-Domain	3003	string

This was done exactly as shown.


STEP 2:  UPDATE MSCHAP MODULE TO USE CUSTOM ATTRIBUTE, IF SET
=============================================================
> >   ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."

This was modified slightly to preserve DOMAIN\USER authentication attempts.  Here's what I have working in /etc/raddb/modules/mschap (prettified with the backslashes only for readability here):

ntlm_auth = "/usr/bin/ntlm_auth \
	--request-nt-key \
	--username=%{mschap:User-Name} \
	--domain=%{My-NT-Domain:-%{mschap:NT-Domain}} \
	--challenge=%{mschap:Challenge:-00} \
	--nt-response=%{mschap:NT-Response:-00}"

Now this generates the following messages:
> [mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
> [mschap]        expand: --domain=%{My-NT-Domain:-umad.umsystem.edu} -> --domain=col.missouri.edu

So I changed it to use --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}}.  That cleared up the warning messages.  You can also set it to default to one domain or another, or (I suppose) fall through both variables to a default domain.  I haven't bothered with this.  Yet.


STEP 3:  SET UP REGEX TO GRAB AD-STYLE DOMAIN NAME FOR HOST AUTH
================================================================

This part goes ONLY IN THE inner-tunnel VIRTUAL SERVER DEFINITION when doing EAP authentication.  At one time, I had these bits in both the outer and inner virtual servers.  In my case, I only care about EAP authentication, so I reverted the outer tunnel to the defaults and made these changes to the inner-tunnel virtual server.  If you aren't doing EAP, or you aren't sure, you can add this code to the outer virtual server without problems (as far as I can tell).

Anyway, here's the code:

        #
        suffix
#       ntdomain

        # Match 'host', then a slash, then the computer name
        # (stuff that's not a dot), then a dot.
        # Grab everything after that and use it as the domain.
        if ( User-Name =~ /host\/[^\.]+\.(.+)/ ) {
                update request {
                        My-NT-Domain = "%{1}"
                }
        }

The "suffix" and "ntdomain" lines are shown for context, to show *where* I have this code, and also to demonstrate that this works with the "ntdomain" part commented out.  Any shenanigans with THIS\THAT User-Name values are handled correctly by mschap, so it's unnecessary to play with it here.


STEP 4:  IT WORKS, BUT GOOD LORD, *WHY*?
========================================

IF IT'S A HOST ACCOUNT:
	- Anything after the first "dot" in the computer's FQDN is pulled out and assigned to the custom attribute My-NT-Domain.
		- User-Name is still "host/COMPUTER.DOMAIN"
		- My-NT-Domain is "DOMAIN"
		- %{mschap:NT-Domain} is in a "don't care" state.  My-NT-Domain overrides it.
	- ntlm_auth is called and My-NT-Domain is used for the --domain part, since it has a value.
	- It works!

IF IT IS NOT A HOST ACCOUNT:
	- It is extremely unlikely that the User-Name variable will match "host/foo.bar", so My-NT-Domain remains unset.
	- With My-NT-Domain unset, ntlm-auth uses %{mschap:NT-Domain} instead, which is what we were doing with only user accounts anyway.
	- It works!

IF YOU LOGGED INTO A WINDOWS MACHINE USING A LOCAL ACCOUNT:
	If it's XP, this isn't going to work.  Even though the XP machine is a member of the domain and has successfully authenticated, XP will switch over to the user ID you used to log in.  Since that's a local account, this will fail.
	WORKAROUND (XP):  You can go into "View Wireless Networks", select the network, click "Connect".  Wait a few seconds and a bubble will appear above the systray prompting you for credentials.  I used "DOMAIN\USER" format in the "User" field, my password in the obvious place, and left the "Domain" field blank.  After that, whenever I logged in using that same local account, XP cached my domain user's credentials for logging into the network.
	WORKAROUND (Vista/Win7):  I believe Windows Vista and newer can be configured so that the computer does not try to re-authenticate upon user login.  That is, it can be made to log in using the AD host account and just stay there forever, thus enabling the use of whatever local accounts you like.  I HAVE ONLY READ ABOUT THIS AND NEVER TESTED IT.  I plan to work on this next.  I'll post my results, if no one else beats me to it.

Many thanks to everyone on the freeradius-users mailing list, including Alan, Alan, and Phil for your insights on this.  And anyone, please chime in if there are any obvious pitfalls in this method or better ways to implement this short of messing with the source code.

--J



More information about the Freeradius-Users mailing list