Can Radius pass client ip details to Windows AD during ntlm authentication ?.

Eby Mani eby_km at yahoo.com
Mon Mar 14 10:15:30 CET 2016 

@Alan DeKok
>AD shows the IP that the login request came from.  In this case, that's the RADIUS server.
There is no way I know to pass more information in the login request. 

Now understand why it only show the last user in Single-SignOn client when multiple clients are connected thru RADIUS server. Perhaps another way exist to pass more information after authentication ?.


@Matthew Newton
>Look at the logs on the RADIUS server

RADIUS Accounting log contain client info, included for ref.


@Brian Julin & @Scott Armitage
>What you may be able to do is set up the WiFi controller to send accounting packets when it discovers the IP, which includes the username, then shell out to a script to do something to inject log entries into the AD server. 

>The best you can do is configure your wireless to send RADIUS accounting with interim updates.

Interesting, RADIUS server is doing the accounting. WLC have the option to set accounting packets to another server. To which Server the WLC should send Accounting packets to ?.

When WLC is configured to use Windows NPS for AAA, wireless network access is granted, but only windows-computers joined to the particular domain is able to access certain networks(protected & internet) as those are configured with Single-SignOn. Linux systems joined to domain(realmd / ssssd / likewise open) doesn't even show up in Firewall single-signon agent installed in AD. 

Here is RADIUS accounting log. 
***********************************************
Mon Mar 14 13:06:55 2016
    Acct-Status-Type = Interim-Update
    NAS-IP-Address = 10.225.253.10
    User-Name = '0129'
    NAS-Port = 0
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = '***'
    Called-Station-Id = '####'
    Framed-IP-Address = 10.225.251.33
    Acct-Multi-Session-Id = '***-233931'
    Acct-Session-Id = 'F05C1986E781-***-39CCB'
    Acct-Delay-Time = 0
    Aruba-Essid-Name = 'VOIP-DEMO'
    Aruba-Location-Id = '####'
    Aruba-User-Vlan = 111
    Acct-Input-Octets = 22221
    Acct-Output-Octets = 5160
    Acct-Input-Packets = 341
    Acct-Output-Packets = 26
    Acct-Session-Time = 277
    Event-Timestamp = 'Mar 14 2016 13:06:55 IST'
    Acct-Unique-Session-Id = '6546072bc6e91077cfb7572486c87dc5'
    Timestamp = 1457941015

Mon Mar 14 13:07:46 2016
    Acct-Status-Type = Interim-Update
    NAS-IP-Address = 10.225.253.10
    User-Name = 'pt1479'
    NAS-Port = 0
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = '***'
    Called-Station-Id = '####'
    Framed-IP-Address = 10.225.251.32
    Acct-Multi-Session-Id = '***-482768'
    Acct-Session-Id = 'F05C1986E261-***-76980'
    Acct-Delay-Time = 0
    Aruba-Essid-Name = 'VOIP-DEMO'
    Aruba-Location-Id = '####'
    Aruba-User-Vlan = 111
    Acct-Input-Octets = 10912
    Acct-Output-Octets = 5416
    Acct-Input-Packets = 100
    Acct-Output-Packets = 27
    Acct-Session-Time = 154
    Event-Timestamp = 'Mar 14 2016 13:07:46 IST'
    Acct-Unique-Session-Id = 'b4cc8c7562777c2569e0ce29e596022e'
    Timestamp = 1457941066
***********************************************

Eby

More information about the Freeradius-Users mailing list