Using machine auth from a remote eduroam site
Adam Bishop
Adam.Bishop at jisc.ac.uk
Mon Mar 26 18:44:59 CEST 2018
On 26 Mar 2018, at 17:12, Alex Sharaz via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I'm using winbindd on our Tier 1 FR servers. Guess I need to create
> another mschap instance specifically for machine auths and point it at
> another part of the AD tree.
I have never gotten machine authentication to work so have no idea what I'm talking about, but would that be necessary?
Unless you've written some samba config to change the behaviour, I believe ntlm_auth looks at the entire tree - ntlm_auth/libwbclient are happy to authenticate any valid user regardless of position in the tree.
The wiki mentions an interesting snippet of information - it suggests you might need to send "00" as the username:
http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto#introduction_mods-available-mschap
I'd also look suspiciously at how the backslashes are being handled (packet capture and see what's really being put on the wire?), and the docs by nt_domain_hack in rlm_preprocess, which suggest you may need to mangle the username.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the Freeradius-Users
mailing list