MSCHAP Machine/User Authentication with Windows

Tynan Young tynany at gmail.com
Tue May 12 01:31:38 CEST 2015


On Mon, May 11, 2015 at 6:41 PM, Stefan Paetow <Stefan.Paetow at jisc.ac.uk> wrote:
>>>> (8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
>>>> (8) mschap :    --> --domain=in
> [snip]
>> Username = testuser
>> Domain = testdomain
> [snip]
>> I believe that debug is of an attempted machine authentication, which would
>> explain 'host/machine name' (ie host/win81-ops.in.testdomain).
>
> Ok, then see my quote above... mschap believes that your domain is 'in'. You might want to adjust the ntlm_auth command-line to hardcode the domain name in, or you can use unlang to set the NT-Domain attribute to 'testdomain'. :-)
>
> That should make it happ(y|ier).
>
> Additionally, Ben's posted a bunch of settings that might be useful in Windows. His dialogs are in German, although that should not really be an issue.
>
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator

Awesome, manually setting the domain attribute to testdomain fixed
machine authentication. My NTLM line now looks like:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=testdomain
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

Thanks for the help.


More information about the Freeradius-Users mailing list