Using machine auth from a remote eduroam site
Alex Sharaz
alex.sharaz at york.ac.uk
Mon Mar 26 18:12:52 CEST 2018
For a long long time now I've been using freeradius to auth PEAP and
EAP-TLS inbound requests from eduroam to our Tier 1 FreeRadius (
3.0.16) servers.
We now want to enable our managed laptops to connect to eduroam at a
remote site using machine authentication using EAP-TTLS.
I've got part of the way in that I can see an inbound request from
host/<fqdn of laptop> and a failure
"Login incorrect (mschap: No such user [0xC0000064]):
[host/dpslap001.its.york.ac.uk] (from client yorkcc port 76 cli
80-86-F2-E0-7D-24 via TLS tunnel)"
So I guess this makes sense as our machines are in a different part of
our AD Tree to our users. On our clearpass system I check for a
username of the form host/.....york.ac.uk/ and do an auth against
different AD tree branch and everything works.
I'm using winbindd on our Tier 1 FR servers. Guess I need to create
another mschap instance specifically for machine auths and point it at
another part of the AD tree.
Assuming that's what I have to do, how do I point mschap at a
different part of the AD tree for authentication?
Rgds
Alex
More information about the Freeradius-Users
mailing list