Emulate AD-based machine authentication
Josef Vybíhal
josef.vybihal at gmail.com
Wed Feb 19 09:59:57 CET 2020
Hi,
if winbind works for you, the "machine auth" should too. When windows
supplicant is set to do machine auth, it uses username in form of
'host/hostname.your.domain'. Internaly in AD, it's an object similar to
user account, with additional class(es). It has it's own samaccountname.
userprincipalname. Also it has password, which is changed by default every
30 days (
https://docs.microsoft.com/cs-cz/archive/blogs/askds/machine-account-password-process-2
).
Here is example machine auth request from debug log.
(0) Received Access-Request Id 114 from 172.24.254.250:32774 to
172.24.1.6:1812 length 344
(0) User-Name = "host/PROBOOK.ABC.cz"
(0) Chargeable-User-Identity = 0x00
(0) Location-Capable = Civic-Location
(0) Calling-Station-Id = "20-10-7a-01-77-fe"
(0) Called-Station-Id = "3c-ce-73-6d-3a-50:ABC"
(0) NAS-Port = 1
(0) Cisco-AVPair = "audit-session-id=ac19646400016f415c666ce9"
(0) Acct-Session-Id = "5c666ce9/20:10:7a:01:77:fe/96853"
(0) Cisco-AVPair = "mDNS=true"
(0) NAS-IP-Address = 172.25.100.100
(0) NAS-Identifier = "CT2504_100.100"
(0) Airespace-Wlan-Id = 1
(0) Service-Type = Framed-User
(0) Framed-MTU = 1300
(0) NAS-Port-Type = Wireless-802.11
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Private-Group-Id:0 = "666"
(0) EAP-Message = 0x...
(0) Message-Authenticator = 0x...
Run your radiusd in radiusd -X and set windows to do machine auth, and you
will see something similar as above.
The in post-auth you can for example do some checking like
if ( &User-Name =~ /^host\/.*$/) {
update reply {
...
}
...
Hope that helps,
P.
On Tue, Feb 18, 2020 at 4:28 PM Munroe Sollog <mus3 at lehigh.edu> wrote:
> I am trying to replace our current Microsoft NPS server with freeradius. I
> was able to follow the docs and use winbind to get PEAP-mschap user
> authentication working flawlessly. The last piece of this puzzle is, NPS
> has a "magic checkbox" that enables machine-based authentication. I have
> been trying to figure out what that checkbox does, without much luck.
>
> My best guess is that it's using the Active Directory certificates to do
> EAP-TLS auth, but that is just my guess. Has anyone ever tried to
> replicate this feature? or have any insight? I realize this isn't strictly
> a freeradius question, but thought I would ask.
>
>
>
> --
> Munroe Sollog
> Senior Network Engineer
> munroe at lehigh.edu
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list