Machine authentications with proxy-inner-tunnel and NPS as backend

Wang, Yu ywang10 at fsu.edu
Wed Jul 23 17:02:22 CEST 2014 

I got our machine wireless auth working under similar configuration as yours except we use FreeRadius with NTLM. No Windows NPS involved. I ran into username and password incorrect issue during setup and fixed it on FR configuration by adding '$' to username:

Under authorize {}  section of the inner-tunnel.
if ( "%{request:User-Name}" =~ /(^host\/)(some regular expression to match machine name pattern)(some regular expression to match domain pattern)*$/i) {
                update request {
                       Stripped-User-Name := "%{2}$"
                }
        } 
Then pass " Stripped-User-Name " to NTLM.

Hope this helps.

Yu Wang
____________________________
Network Architect
Information Technology Services
The Florida State University
850-645-6810
yu.wang at fsu.edu


-----Original Message-----
From: freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of Herwin Weststrate
Sent: Monday, July 21, 2014 4:49 AM
To: freeradius-users at lists.freeradius.org
Subject: Machine authentications with proxy-inner-tunnel and NPS as backend

This isn't really a problem with FreeRADIUS, but maybe someone else here has ever tried this.

A short description of our setup: we're trying to use 802.1X on WLAN, with the access points using FreeRADIUS as backend, authenticating via PEAP. FreeRADIUS is configured to use the proxy-inner-tunnel virtual server for this requests, and uses Active Directory 2012R2 as a RADIUS backend (NPS).

With user authentication, this works like a charm once you've changed the policy to accept MSCHAPv2 outside of PEAP too. When trying to use this same setup with a machine authentication, the backend replies that the username or password is incorrect. When we're acting as a normal proxy instead of an inner-tunnel-proxy, it just works without any changes on the client pc.

Has anyone ever tried something like this and got the setup working?

--
Herwin Weststrate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list