Using machine auth from a remote eduroam site

Alex Sharaz alex.sharaz at
Mon Mar 26 18:12:52 CEST 2018

For a long long time now I've been using freeradius to auth PEAP and
EAP-TLS inbound requests from eduroam to our Tier 1 FreeRadius (
3.0.16) servers.

We now want to enable our managed laptops to  connect to eduroam at a
remote site using machine authentication using EAP-TTLS.

I've got part of the way in that I can see an inbound request from
host/<fqdn of laptop> and a failure

"Login incorrect (mschap: No such user [0xC0000064]):
[host/] (from client yorkcc port 76 cli
80-86-F2-E0-7D-24 via TLS tunnel)"

So I guess this makes sense as our machines are in a different part of
our AD Tree to our users. On our clearpass system I check for a
username of the form host/ and do an auth against
different AD tree branch and everything works.

I'm using winbindd on our  Tier 1 FR servers. Guess I need to create
another mschap instance specifically for machine auths and point it at
another part of the AD tree.

Assuming that's what I have to do, how do I point  mschap at a
different part of the AD tree for authentication?

More information about the Freeradius-Users mailing list