authentication by hostname

Mathieu Simon mathieu.sim at gmail.com
Tue Jul 23 10:34:20 CEST 2013


Hi

Could it be you are in a AD environment - your request looks like to what I
see in my environment.
If so: Domain-joined Windows machines (for what I have tested) have a
computer account in AD.
This can be used by the Windows (never tested with domain-joined Macs or
Linux machines)
client to authenticate as machine against the network (using PEAP-MSCHAPv2).
Technically you don't authenticate by hostnames but you use the computers'
AD account.

Another way would be to use EAP-TLS with certificates on your machines.

If you implement the Samba/winbind way as described by
deployingradius.comyou can in authenticate computer
accounts. - It required me to tweak the LDAP default config for group-based
authorization, but In case this is what you
are looking for, ping back and I can show you LDAP filters i use.

If you are only into authentication, most likely the public pages will
already let you in, but
(at least on Debian wheezy) I had tomodify modules/mschap  as follows:

mschap {

...
        with_ntdomain_hack = yes
...
        # Debian
        # ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
        # Mine (at least that made it work)
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
...
}

-- Mathieu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130723/3034869f/attachment.html>


More information about the Freeradius-Users mailing list