Expired Active Directory Passwords & Wireless Authentication
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 10 10:50:15 CEST 2012
On 10/10/2012 03:21 AM, Jason Agress wrote:
> Will that allow successful RADIUS authentication - and, therefore
> wireless access - before the password change is initiated? Because our
> clients are Macs that won't prompt for password change until after they
> are connected to the wireless and authenticating against AD.
Ah. Then no, mschap password changes won't help. FreeRADIUS just calls
out to AD to auth users. If AD refuses to auth because the password is
expired, the only thing you can do is a password change, which requires
client support.
Since you're using Macs, you do have one option - change your EAP method
to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth
types you can "force" an accept on. Other auth types use
challenge/response methods that require both side to prove to each other
that they know the credentials.
To implement this, you'd:
1. Install FreeRADIUS
2. Get EAP working with a local user
3. Get EAP working with AD users via Samba
Everything up to this point is documented - see the wiki or
deployingradius.com. Once you've got that far, you need to setup two things:
* TTLS
* A script to auth PAP against AD, wrapping ntlm_auth
The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails,
check for "expired" and force a success.
Anyway - if you're willing to move from PEAP to TTLS, get the basics
working then if you need advice, ask here again - people will be glad to
help. It's relatively straightforward, but all the pieces might not be
documented in obvious places.
More information about the Freeradius-Users
mailing list