Can Radius pass client ip details to Windows AD during ntlm authentication ?.

Brian Julin BJulin at clarku.edu
Sun Mar 13 05:08:43 CET 2016


Eby Mani wrote:

> Can Radius Server pass client ip details to Windows AD during ntlm authentication ?.

> Here is the scenario, WirelessLanController is configured to provide access only after authenticating using Radius.
> Radius server is configured for WPA2 Enterprise with Active Directory integration using samba/winbind (ntlm_auth).

> I can login to the wireless network using AD username and password. The trouble is, AD doesn't know my real ip. It 
> shows my username, Radius server IP and system name when searching for details.

The IP address of the host is not known until well after the NTLM authentication takes place.  DHCP happens after the
authentication -- nothing knows the IP until this point.  Even with static IP addresses, the first IP packet, or even ARP,
is not sent until after the authentication completes, so only the client will know it.

What you may be able to do is set up the WiFi controller to send accounting packets when it discovers the IP,
which includes the username, then shell out to a script to do something to inject log entries into the AD server.
However hey could not be NTLM authentication logs, because at that point, the RADIUS server no longer has
the NTLM challenge/response so it cannot pretend to be the user anymore.

Another possibility is if you are in an environment where you could set up a secondary layer of encryption with IPSEC
on the clients, as an authentication to an IPSEC RAS would indeed know the IP adress.  However, this would still 
appear to come from the IPSEC RAS's IP unless windows authentication has a method to record a supplementary IP.



More information about the Freeradius-Users mailing list