Machine auth fails but user auth works
Matthew Newton
mcn4 at leicester.ac.uk
Wed Dec 9 00:45:57 CET 2015
On Tue, Dec 08, 2015 at 11:38:16PM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
> > (8) mschap : EXPAND --username=%{%{mschap:User-Name}:-00}
> > (8) mschap : --> --username=CCS-252$
>
> > (8) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > (8) mschap : --> --username=host/CCS-252.cfs.uoguelph.ca
>
> ...err, yes...and NOW the server uses this broken version. delete that second entry so just CCS-252$
> is used as you had before.
Ug.
I'd just take the --challenge=683ac434c3c89a99 and
--nt-response=55082eea2ef4b8b9d7fb4985c654723659cdee6d13ebe2ef and
test them with ntlm_auth on the command line with different
combinations of --username and --domain to find out what actually
works. Then use that as a basis to work out what the config should
be.
If these are machines joined to a domain then won't they have
certificates auto-enrolled from the domain anyway? In which case
I'd just stick to PEAP/EAP-MSCHAPv2 for users and EAP-TLS for the
machines. More conventional and faster auth as well.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list